Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1482: Analytic 1482

1) pkg/notarization installs from atypical sources or with Gatekeeper/AMFI warnings; 2) new Mach-O written into /Applications or ~/Library paths or substitution of signed components; 3) first run from installer spawns unsigned children or exfil.

EnterpriseAN1482AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting suspicious macOS application installation and first-run behavior: packages or notarized apps arriving from unusual sources, Gatekeeper/AMFI warnings, new Mach-O binaries appearing in application or user library paths, signed component substitution, and unsigned child processes or exfiltration soon after install. For leaders, the practical issue is whether the organization can distinguish legitimate macOS software deployment from risky installer-driven execution before it becomes an incident response problem.

Executive priority

Prioritize this where macOS endpoints support privileged users, developers, executives, or regulated workflows. The decision value is validating that software installation controls, endpoint telemetry, and SOC triage can prove what was installed, where it came from, whether platform protections warned, and what the app did on first run. This supports operational resilience, audit evidence for endpoint control effectiveness, and faster incident decisions when suspicious macOS software appears.

Technical view

SOC and detection teams should validate visibility on macOS installer/package activity, notarization and Gatekeeper/AMFI warning signals, file writes into /Applications and ~/Library paths, Mach-O creation or replacement, code-signing state changes, process trees launched by installers, unsigned child processes, and early network or exfiltration-like behavior after first execution. Because no ATT&CK detection text or relationships are supplied beyond the analytic description, detection engineering should treat this as a behavior pattern to operationalize and tune locally rather than a complete rule.

Likely telemetry

  • macOS endpoint security events for process execution and parent-child process trees
  • File creation and modification events for /Applications and ~/Library paths
  • Installer/package execution and software installation logs
  • Gatekeeper, notarization, AMFI, and code-signing assessment events where available
  • Mach-O file metadata and signing status

Detection direction

  • Correlate software install events with source reputation or atypical origin indicators available in local telemetry.
  • Alert or hunt for new Mach-O files written into /Applications or user Library locations, especially when followed by first execution.
  • Compare signed application components against expected baselines to identify substitution or unexpected replacement.
  • Review installer-spawned child processes, with extra scrutiny for unsigned children or immediate outbound network activity.
  • Tune for known enterprise software distribution tools, approved updaters, developer workflows, and administrative maintenance to reduce false positives.

Mitigation priorities

  • Maintain approved software distribution and installation paths for macOS and document exceptions.
  • Enforce or monitor macOS platform protection signals such as Gatekeeper, notarization, AMFI, and code-signing policy where operationally feasible.
  • Limit local administrative installation rights where business processes allow.
  • Baseline expected applications and signed components in /Applications and relevant ~/Library paths.
  • Ensure EDR or endpoint logging captures process, file, signing, installer, and network telemetry needed for first-run investigation.
Analyst notes and limits

This object is a detection analytic for macOS, external ID AN1482, tied to MITRE ATT&CK detection strategy DET0537. The supplied description focuses on suspicious install provenance, platform warning signals, Mach-O placement or substitution, and first-run behavior. No tactics, technique relationships, aliases, or formal detection logic were supplied, so recommendations are framed as validation and engineering direction rather than confirmed coverage.

The official detection field is not provided and no relationship context is supplied. This take does not infer attacker attribution, active exploitation, impact, or applicability beyond macOS. Local environment baselines, approved software channels, endpoint tooling, and log retention determine whether this analytic can be implemented reliably.

Official MITRE ATT&CK definition

Analytic 1482

1) pkg/notarization installs from atypical sources or with Gatekeeper/AMFI warnings; 2) new Mach-O written into /Applications or ~/Library paths or substitution of signed components; 3) first run from installer spawns unsigned children or exfil.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c5e7e0de63cc0f86...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c5e7e0de63cc…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1482
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use