AN1273: Analytic 1273
Hidden file system use through APFS containers or custom plist configuration. Defender view: anomalous use of hdiutil or diskutil to attach hidden partitions, modification of plist entries tied to system volumes, or suspicious raw disk access.
Analyst context for executives and security teams
This analytic points to a macOS persistence or concealment concern: hidden file system use through APFS containers or custom plist configuration. For leaders, the practical issue is whether security teams can see unusual disk attachment, system volume configuration changes, and raw disk access on managed Macs before those changes become an incident response blind spot.
Executive priority
Prioritize this where macOS systems support privileged users, developers, administrators, executives, or regulated workflows. The business decision is not just whether endpoint tooling is deployed, but whether it provides audit-quality visibility into disk utilities, plist changes tied to system volumes, and raw disk access. This matters for incident scoping, compliance evidence, and resilience because hidden storage or volume manipulation can complicate containment and forensic review.
Technical view
For SOC, detection engineering, and IR teams, validate macOS telemetry around anomalous use of hdiutil or diskutil to attach hidden partitions, modification of plist entries tied to system volumes, and suspicious raw disk access. Because the ATT&CK object provides no formal detection logic and no tactics, treat this as a coverage-validation analytic rather than a ready-to-deploy rule. Baseline legitimate administrative and imaging activity before alerting broadly.
Likely telemetry
- macOS process execution events for hdiutil and diskutil
- Command-line arguments for disk and image management utilities
- File modification events for plist entries tied to system volumes
- Endpoint telemetry indicating APFS container or partition attachment activity
- Raw disk access events where available from endpoint or system monitoring
Detection direction
- Confirm whether endpoint logging captures hdiutil and diskutil execution with command-line detail on macOS.
- Tune for anomalous or rare disk attachment activity, especially hidden partitions or unexpected APFS container use.
- Monitor plist modifications associated with system volumes, while accounting for legitimate OS updates, device management, and administrative maintenance.
- Review whether raw disk access is visible at all; lack of this telemetry is a material blind spot for this analytic.
- Correlate process, file modification, and administrative context rather than relying on utility name alone, because disk utilities can be used legitimately.
Mitigation priorities
- Maintain managed macOS endpoint visibility capable of process, command-line, file modification, and disk activity collection.
- Restrict privileged administrative access needed to alter system volume configuration or perform raw disk operations.
- Document approved disk imaging, partitioning, APFS, and plist-management workflows so detection teams can distinguish maintenance from anomalies.
- Use change management and MDM policy evidence to support investigation and compliance review where system volume settings are modified.
- Include hidden storage and volume manipulation checks in macOS incident response playbooks.
Analyst notes and limits
This is a detection analytic object for enterprise ATT&CK, scoped to macOS, with an official description focused on hidden file system use through APFS containers or custom plist configuration. No relationship context, tactics, aliases, or official detection logic were supplied, so recommendations are framed as validation and telemetry direction rather than a specific detection rule.
The supplied ATT&CK fields do not identify associated techniques, tactics, adversaries, campaigns, or active exploitation. Detection feasibility depends on local macOS logging, endpoint tooling, privilege controls, and knowledge of legitimate administrative disk activity.
Analytic 1273
Hidden file system use through APFS containers or custom plist configuration. Defender view: anomalous use of hdiutil or diskutil to attach hidden partitions, modification of plist entries tied to system volumes, or suspicious raw disk access.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | faca112868d3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1273Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.