AN1447: Analytic 1447
Detects modification of System Integrity Protection (SIP) or code signing enforcement policies through csrutil or kernel variable tampering. Correlates execution of csrutil disable commands with subsequent policy state changes and anomalous unsigned process executions.
Analyst context for executives and security teams
This analytic is about spotting attempts to weaken macOS platform protections by changing System Integrity Protection (SIP) or code signing enforcement policy. For security leaders, the value is not just detecting a command: it is validating whether the organization can see when a Mac’s trust model has been altered and whether unsigned or unexpected processes appear afterward.
Executive priority
Prioritize this where macOS systems support sensitive users, administrators, developers, or business-critical workflows. SIP and code signing controls are part of the operating system’s integrity baseline; changes to them can reduce confidence in endpoint trust, complicate incident response, and weaken audit evidence. Leaders should ask whether macOS security-state changes are logged, reviewed, and correlated with suspicious process activity.
Technical view
For SOC and detection teams, validate collection and correlation around macOS execution of csrutil disable activity, changes to SIP or code signing enforcement state, kernel variable tampering indicators where observable, and subsequent anomalous unsigned process execution. Because no ATT&CK detection logic is supplied, teams should treat this as a detection design objective rather than a ready-to-deploy rule.
Likely telemetry
- macOS process execution telemetry, especially csrutil invocation and command-line context
- Endpoint security or EDR events showing code signing status for executed processes
- macOS security configuration or policy state evidence related to SIP and code signing enforcement
- Kernel or system-level telemetry capable of indicating relevant variable or policy tampering, if available
- Host inventory or baseline data showing expected macOS protection state
Detection direction
- Correlate csrutil disable activity with later changes in SIP or code signing enforcement state rather than alerting only on isolated command execution.
- Tune for authorized administrative or maintenance scenarios to reduce false positives, but require evidence that policy changes were approved and reverted where applicable.
- Validate whether unsigned process execution is visible and can be tied back to the same host and time window as protection-state changes.
- Identify blind spots on macOS endpoints that lack command-line capture, code signing metadata, or security-state monitoring.
- Because no tactics or relationships are supplied, avoid over-scoping this analytic to specific adversary stages without local evidence.
Mitigation priorities
- Maintain a known-good macOS security baseline that includes SIP and code signing enforcement expectations.
- Restrict and monitor administrative actions that can alter operating system protection settings.
- Ensure endpoint tooling captures process execution, command-line details, and code signing metadata on macOS.
- Establish incident response procedures for hosts where SIP or code signing enforcement changes unexpectedly, including validation of current policy state and review of unsigned process activity.
- Use configuration compliance checks to provide audit evidence that macOS protection settings remain in the expected state.
Analyst notes and limits
This object is a MITRE detection analytic for macOS, focused on modification of SIP or code signing enforcement through csrutil or kernel variable tampering, with correlation to anomalous unsigned process execution. It has no supplied ATT&CK tactic mapping, no relationships, and no official detection logic, so local implementation depends on available macOS endpoint telemetry and baseline policy knowledge.
The supplied object contains a description but no official detection query, no related techniques, no tactics, and no relationship context. This take does not assert active exploitation, attribution, guaranteed detectability, or coverage beyond macOS as listed in the official fields.
Analytic 1447
Detects modification of System Integrity Protection (SIP) or code signing enforcement policies through csrutil or kernel variable tampering. Correlates execution of csrutil disable commands with subsequent policy state changes and anomalous unsigned process executions.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a2252aabab7a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1447Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.