AN1371: Analytic 1371
Detection of adversary disabling endpoint security tools by unloading launch agents/daemons, modifying configuration profiles, or disabling Gatekeeper/XProtect/logging settings, or removing endpoint agents followed by telemetry loss.
Analyst context for executives and security teams
This analytic matters because it focuses on a macOS defense-evasion pattern: endpoint security controls may be weakened or removed, and the most business-relevant signal may be a sudden loss of expected telemetry. For leaders, the issue is not only whether a tool is installed, but whether the organization can prove that macOS security agents, Gatekeeper/XProtect-related settings, logging, and configuration profiles remain enforced and observable during an incident.
Executive priority
Prioritize this as an operational resilience and incident-readiness control check for macOS fleets. Security leaders should ask whether endpoint protection, logging, and macOS security configuration state are continuously validated, whether loss of telemetry creates an incident workflow, and whether audit evidence can show that critical macOS controls were not silently disabled or removed.
Technical view
SOC and detection teams should validate monitoring for macOS endpoint security degradation consistent with the analytic description: unloading launch agents or daemons, modifying configuration profiles, disabling Gatekeeper/XProtect or logging settings, removing endpoint agents, and subsequent telemetry loss. Because the official object does not provide a detection implementation or ATT&CK tactics, teams should map this analytic to local macOS management, EDR, system logging, and configuration-state data before claiming coverage.
Likely telemetry
- macOS launch agent and launch daemon state changes
- Configuration profile inventory and modification events
- Gatekeeper and XProtect-related setting state
- macOS logging configuration and log collection health
- Endpoint security or EDR agent install, uninstall, service, and heartbeat status
Detection direction
- Alert on unexpected removal, unload, or disablement of macOS security-related launch agents or daemons where local telemetry supports it.
- Correlate security-control state changes with endpoint agent heartbeat loss or broader telemetry disappearance.
- Baseline approved administrative maintenance so legitimate security tool upgrades, MDM actions, or troubleshooting do not create excessive false positives.
- Validate whether configuration profile changes can be attributed to an approved management path versus local or unauthorized modification.
- Treat telemetry loss as a detection condition, not just a data-quality issue, especially when it follows security-control or logging changes.
Mitigation priorities
- Maintain authoritative macOS device management and configuration baselines for endpoint agents, logging, Gatekeeper/XProtect-related settings, and profiles.
- Require operational procedures for approved security-agent removal, upgrade, or disablement, with change records and time-bound exceptions.
- Monitor endpoint agent health and telemetry continuity as a security control, not only as an IT availability metric.
- Periodically test whether SOC and IR teams can identify disabled controls or missing telemetry on macOS systems.
- Preserve audit evidence showing enforcement and monitoring of macOS security configuration where compliance readiness is required.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for macOS only. It describes the behavior to detect but does not include a specific detection query, data component list, tactic mapping, or relationships to techniques, groups, malware, or campaigns. Glexia’s interpretation is therefore focused on defensive validation and control assurance rather than attribution or threat activity.
This take is limited to the official STIX fields, the MITRE external reference, and the supplied description. No active exploitation, actor attribution, business impact, or guaranteed detection coverage is implied. Local macOS fleet architecture, MDM controls, EDR behavior, and logging availability are required to determine actual coverage.
Analytic 1371
Detection of adversary disabling endpoint security tools by unloading launch agents/daemons, modifying configuration profiles, or disabling Gatekeeper/XProtect/logging settings, or removing endpoint agents followed by telemetry loss.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 30306f6995ba… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1371Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.