AN1545: Analytic 1545
Detection of interactive and remote logins by service accounts or users at unusual times, with unexpected child process activity.
Analyst context for executives and security teams
This analytic matters because service accounts and unusual-hours logins are often high-signal places to look for misuse, policy drift, or compromised credentials on macOS systems. For leaders, the decision value is not that this analytic proves an intrusion, but that it tests whether the organization can distinguish expected administrative automation from suspicious interactive or remote access followed by unexpected process activity.
Executive priority
Prioritize this as an identity and endpoint monitoring validation for macOS environments, especially where service accounts exist or remote administration is permitted. Executives should ask whether service accounts are allowed to log in interactively, whether after-hours access has documented business justification, and whether SOC teams have enough login and process telemetry to investigate quickly. This can also support audit evidence around privileged access governance and incident response readiness.
Technical view
For SOC, detection engineering, and IR teams, validate coverage for macOS interactive and remote login events, account type or naming context for service accounts, time-of-day baselining, and child process activity after login. Because no official detection logic is supplied, teams should build local baselines for expected administrative behavior and tune for unusual login timing combined with unexpected process trees rather than treating either condition alone as conclusive.
Likely telemetry
- macOS authentication and login records
- Remote login or remote administration access logs where enabled
- Endpoint process creation telemetry
- Parent-child process relationship data after login
- Account inventory or identity context identifying service accounts and privileged users
Detection direction
- Confirm whether service accounts are technically able to perform interactive or remote logins; if they are not expected to, alerting can be higher confidence.
- Correlate unusual login time with subsequent child process activity to reduce noise from legitimate maintenance windows.
- Tune around approved administrative tasks, scheduled maintenance, and known remote support workflows to manage false positives.
- Validate that process telemetry includes parent-child relationships and user context, not only process names.
- Review blind spots where macOS endpoints lack centralized authentication logs, process creation visibility, or consistent account classification.
Mitigation priorities
- Restrict service accounts from interactive and remote login where business operations allow.
- Document approved after-hours administration and maintenance windows for SOC tuning and audit support.
- Maintain accurate service account ownership, purpose, and privilege records.
- Ensure macOS endpoint logging and centralized collection cover authentication and process activity.
- Use least privilege and access review practices for accounts capable of remote or interactive access.
Analyst notes and limits
This is a detection analytic object for macOS with a narrow official description and no supplied detection logic or relationship context. The strongest practical use is as a validation prompt: can the organization identify unusual interactive or remote logins by service accounts or users, and can it see what processes run afterward?
No official detection query, tactic mapping, related techniques, threat actors, procedures, or mitigations were supplied. Any severity, prevalence, or exploitation claims require local environment evidence and cannot be inferred from this object alone.
Analytic 1545
Detection of interactive and remote logins by service accounts or users at unusual times, with unexpected child process activity.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 48f151a27366… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1545Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.