AN1346: Analytic 1346
Behavioral chain: (1) third-party interactive login or mobileconfig-based device enrollment; (2) privilege use or admin group change; (3) lateral movement mounts/ssh. Correlate unified logs and network telemetry.
Analyst context for executives and security teams
AN1346 is a macOS-focused detection analytic for spotting a suspicious chain of events: third-party interactive login or mobileconfig-based device enrollment, followed by privilege use or admin group change, and then lateral movement activity such as mounts or SSH. Its business value is correlation: each event may be explainable alone, but together they can indicate a higher-risk identity, device management, or movement pattern that warrants investigation.
Executive priority
Prioritize this analytic where macOS endpoints, device enrollment workflows, admin privilege changes, and SSH or network mount activity are material to business operations. Leaders should ask whether security teams can reconstruct this sequence across endpoint, unified log, identity/admin-change, and network data. The main decision value is readiness: if these data sources are incomplete or siloed, incident responders may miss the transition from initial access or enrollment abuse into privileged activity and lateral movement.
Technical view
For SOC and detection engineering teams, validate correlation across three event groups on macOS: interactive third-party login or mobileconfig-based enrollment; privilege use or administrator group modification; and lateral movement indicators such as mounts or SSH. Because no ATT&CK tactics or standalone detection logic are supplied, implementation should focus on time-bounded behavioral chaining and local baselining rather than a single event signature. Investigations should confirm whether enrollment, privilege change, and network access were expected for the user, host, and administrative process involved.
Likely telemetry
- macOS unified logs related to login, enrollment, privilege use, and admin group changes
- Device management or mobileconfig enrollment records
- Local account and group membership change evidence on macOS endpoints
- SSH connection telemetry from endpoints or network sensors
- Network mount activity and related file-sharing telemetry
Detection direction
- Build or validate a correlation rule that links enrollment or third-party login events to subsequent privilege use or admin group change and then to SSH or mount activity.
- Tune correlation windows and thresholds using normal macOS administration and device management workflows to reduce false positives.
- Review expected IT operations, help desk, MDM enrollment, and administrator maintenance patterns before escalating.
- Check for blind spots where macOS unified logs, admin group changes, SSH activity, or network mount telemetry are not centrally collected.
- Use host, user, and time correlation as the primary analytic value because the official object provides no standalone detection logic.
Mitigation priorities
- Confirm macOS enrollment and mobileconfig workflows are governed, logged, and reviewed.
- Restrict and monitor administrative group changes and privilege use on macOS systems.
- Ensure SSH and network mount usage is authorized, logged, and attributable to users and hosts.
- Centralize macOS unified logs and relevant network telemetry so incident responders can reconstruct the behavioral chain.
- Document expected administrative workflows to support audit evidence and faster triage of anomalous chains.
Analyst notes and limits
This is a detection analytic object, not a technique description. The supplied ATT&CK content emphasizes a behavioral chain and explicitly calls for correlating unified logs and network telemetry. No relationship context, tactics, aliases, or official detection logic were supplied, so the take is framed around validation and operational readiness rather than a specific rule implementation.
The object is limited to macOS and provides no tactics, related techniques, relationship context, or detailed detection query. Local environment evidence is required to define normal enrollment, admin, SSH, and mount behavior and to determine whether a correlated sequence is suspicious.
Analytic 1346
Behavioral chain: (1) third-party interactive login or mobileconfig-based device enrollment; (2) privilege use or admin group change; (3) lateral movement mounts/ssh. Correlate unified logs and network telemetry.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5717686b0172… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1346Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.