AN1251: Analytic 1251

Detects suspicious changes to macOS authorization and PAM plugin files. Correlates file modifications under /etc/pam.d/ or /Library/Security/SecurityAgentPlugins with unexpected authentication attempts or anomalous account usage.

EnterpriseAN1251AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic matters because changes to macOS authentication control files can indicate that sign-in behavior or authorization checks have been altered. For leaders, the practical question is whether the organization can quickly prove when privileged authentication paths on macOS endpoints change and whether those changes align with approved administration.

Executive priority

Prioritize this where macOS systems support executives, administrators, developers, or other sensitive users. The business value is auditability and incident readiness: security teams should be able to distinguish approved authentication configuration changes from suspicious changes that may affect account control, access governance, and response decisions.

Technical view

AN1251 is a macOS-focused detection analytic for suspicious modifications under /etc/pam.d/ and /Library/Security/SecurityAgentPlugins, correlated with unexpected authentication attempts or anomalous account usage. SOC and detection teams should validate that file modification telemetry for these paths is collected, time-correlated with authentication activity, and reviewed against known administrative change windows or endpoint management activity.

Likely telemetry

macOS file modification events for /etc/pam.d/
macOS file modification events for /Library/Security/SecurityAgentPlugins
Authentication attempt logs from macOS systems
Account usage or login activity associated with affected hosts
Change management or endpoint administration records for expected authentication configuration updates

Detection direction

Alert on modifications to the specified macOS authentication and SecurityAgent plugin paths, especially when the modifying process, user, or timing is unexpected.
Correlate file changes with unusual authentication attempts or anomalous account usage as described by the analytic, rather than treating every file change as malicious.
Tune for legitimate operating system updates, approved security tooling, and authorized administrator changes to reduce false positives.
Validate coverage on macOS endpoints specifically; this analytic does not support conclusions about other platforms from the supplied fields.

Mitigation priorities

Establish approved-change baselines for macOS authentication and authorization configuration files.
Restrict and monitor administrative access capable of modifying the identified paths.
Ensure endpoint logging retains file modification and authentication evidence long enough for investigation.
Include these paths in incident response triage for macOS authentication anomalies.
Use change management evidence to support audit and compliance questions about privileged authentication configuration changes.

Analyst notes and limits

No ATT&CK tactic, technique relationship, or separate official detection logic was supplied. The take is therefore focused on the stated analytic behavior: detecting suspicious macOS authorization and PAM plugin file changes and correlating them with authentication or account activity.

This summary does not infer adversary use, impact, attribution, or detection completeness. Local environment baselines, macOS logging configuration, endpoint management practices, and change records are required to determine whether observed changes are suspicious.

Official MITRE ATT&CK definition

Analytic 1251

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 93d2688b3a498c4f...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`93d2688b3a49…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1251
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use