AN1363: Analytic 1363
Monitor unified logs for access to payment applications, browser plug-ins, or Apple Pay services from non-standard processes. Detect anomalous use of Automator scripts or keychain extraction targeting financial account credentials.
Analyst context for executives and security teams
This analytic is about watching macOS unified logs for unusual process access to payment-related applications, browser plug-ins, Apple Pay services, Automator scripts, or keychain extraction activity that could indicate attempts to reach financial account credentials. For leaders, the practical value is validating whether macOS endpoints that handle payments or finance workflows generate usable evidence before an incident, not assuming endpoint tooling automatically sees this behavior.
Executive priority
Prioritize this where macOS systems are used for finance, executive, payment, or high-trust browser activity. The business decision is whether SOC and incident response teams can prove visibility into credential-focused activity involving Apple Pay, payment applications, browser plug-ins, and keychain access. This also supports compliance and audit conversations around monitoring of sensitive financial credential access, but local evidence is required to show coverage.
Technical view
For macOS, validate collection and retention of unified logs relevant to payment applications, browser plug-ins, Apple Pay services, Automator execution, and keychain access or extraction indicators. Because no ATT&CK tactics, relationships, or separate detection logic are supplied, teams should treat this as a telemetry validation and anomaly-detection use case rather than a complete rule. Baseline standard business processes that legitimately interact with payment services or keychain items, then alert on non-standard processes, unusual script execution, or unexpected access patterns.
Likely telemetry
- macOS unified logs
- Process execution metadata for macOS endpoints
- Automator script execution evidence
- Keychain access or extraction-related events
- Application/service access records for payment applications, browser plug-ins, and Apple Pay services
Detection direction
- Confirm unified log collection is enabled, centrally forwarded, searchable, and retained for relevant macOS systems.
- Build or validate logic that identifies non-standard processes accessing payment applications, browser plug-ins, Apple Pay services, or keychain-related resources.
- Baseline approved payment, browser, and automation workflows to reduce false positives from legitimate finance tools or administrative scripts.
- Correlate anomalous service access with process lineage, user context, script execution, and endpoint history before escalation.
- Review blind spots around unmanaged Macs, short log retention, privacy-filtered logs, and endpoint tools that do not parse unified logs well.
Mitigation priorities
- Inventory macOS endpoints that handle payment, finance, executive, or credential-sensitive workflows.
- Ensure centralized macOS unified log and endpoint telemetry collection before relying on this analytic.
- Limit unnecessary Automator/script usage and review authorized automation paths on sensitive Macs.
- Apply least-privilege access practices around keychain and financial applications where administratively feasible.
- Use incident response runbooks that preserve macOS logs and keychain-related evidence during triage.
Analyst notes and limits
The supplied object is a detection analytic for macOS only. It names monitoring targets and suspicious themes but does not provide formal detection logic, ATT&CK tactics, related techniques, data components, or adversary relationships. Treat it as guidance for coverage validation and analytic engineering rather than a ready-to-deploy detection.
No official detection content, relationship context, tactics, aliases, labels, or supporting procedure examples were supplied. This take cannot assess prevalence, threat actor usage, active exploitation, or actual detection effectiveness without local macOS telemetry and environment-specific baselines.
Analytic 1363
Monitor unified logs for access to payment applications, browser plug-ins, or Apple Pay services from non-standard processes. Detect anomalous use of Automator scripts or keychain extraction targeting financial account credentials.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f3ded5a57490… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1363Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.