AN1218: Analytic 1218
Detects movement of binaries to `~/Library/`, `/System/`, or app bundle locations, especially after initial execution or download from Safari or Mail.
Analyst context for executives and security teams
This analytic matters because unexpected movement of binaries into macOS Library, System, or application bundle locations can be an early sign that software is trying to persist, blend into trusted paths, or stage itself after a user-driven download or first execution. For leaders, the decision value is whether macOS endpoint monitoring can explain how files arrived in sensitive locations, especially from common user entry points such as Safari or Mail.
Executive priority
Prioritize this as a macOS endpoint visibility and incident triage control question: can the organization prove when binaries are moved into user Library, System, or app bundle paths, and can responders connect that movement to downloads or initial execution? This supports resilience, audit evidence, and response speed, but the supplied ATT&CK object does not specify a tactic, related technique, or confirmed mitigation, so prioritization should be based on local macOS exposure and endpoint telemetry maturity.
Technical view
SOC and detection teams should validate monitoring for file creation, rename, move, and modification events involving binaries placed under ~/Library/, /System/, and application bundle locations on macOS. The analytic specifically calls out higher-interest context when movement follows initial execution or download activity from Safari or Mail. Because no official detection logic is provided, teams should develop and tune environment-specific logic that correlates file movement, process lineage, download source, user context, signing/notarization metadata where available, and timing after browser or mail activity.
Likely telemetry
- macOS file system events for binary creation, rename, move, and modification
- Endpoint process execution and parent-child process lineage
- Browser and mail client download-related activity, especially Safari and Mail
- File path metadata for ~/Library/, /System/, and application bundle locations
- File ownership, timestamp, and user context
Detection direction
- Validate that macOS endpoint telemetry captures file movement into ~/Library/, /System/, and app bundle paths, not only process execution.
- Correlate suspicious file movement with recent Safari or Mail downloads and first execution events to reduce noise.
- Tune for legitimate software updates, application installers, enterprise management tools, and developer workflows that commonly write to application bundle or Library paths.
- Review blind spots around user-level Library paths, renamed binaries, app bundle internals, and endpoints where file event collection is disabled or sampled.
- Because no ATT&CK relationship context or official detection query is supplied, treat this as a detection engineering pattern requiring local baselining rather than a ready-to-deploy rule.
Mitigation priorities
- Ensure macOS endpoint logging and EDR policies collect file movement and process context for the specified paths.
- Baseline approved software installation, update, and management behavior to support alert triage.
- Restrict or monitor unauthorized changes to sensitive system and application locations where organizational policy allows.
- Strengthen user download and attachment handling controls for browser and mail workflows.
- Document coverage and known telemetry gaps for compliance and incident response readiness.
Analyst notes and limits
The supplied object is a detection analytic, AN1218, for macOS. It describes detecting movement of binaries to ~/Library/, /System/, or app bundle locations, especially after initial execution or download from Safari or Mail. No tactics, relationships, labels, aliases, or official detection logic were supplied, so this take focuses on defensive validation and telemetry requirements rather than ATT&CK technique mapping.
This assessment is limited to the official STIX fields, external reference, and lack of relationship context provided. It does not establish active exploitation, adversary attribution, impact, or guaranteed detection coverage. Local endpoint configuration, macOS fleet profile, software management practices, and logging depth are required to determine risk and implement reliable detections.
Analytic 1218
Detects movement of binaries to `~/Library/`, `/System/`, or app bundle locations, especially after initial execution or download from Safari or Mail.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a2c103c366ac… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1218Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.