AN1597: Analytic 1597
Detect loading or inspection of kernel extensions (kextstat, kextfind) and file access to /System/Library/Extensions/. Monitor unexpected usage of these utilities by non-administrative users or scripts.
Analyst context for executives and security teams
This analytic is about visibility into macOS kernel extension activity and related inspection tools. For leaders, the practical value is knowing whether the organization can see when users or scripts interact with kernel extension utilities or the system extensions directory, because that activity may be security-relevant and often requires endpoint-level evidence to investigate well.
Executive priority
Prioritize this as a macOS endpoint visibility and incident-readiness question: do SOC and IR teams have reliable evidence for kernel extension inspection/loading activity, especially when performed by non-administrative users or automation? This can support control validation, audit evidence for endpoint monitoring, and faster triage of suspicious macOS activity. The supplied ATT&CK object does not specify a tactic, impact, threat actor, or active exploitation context, so prioritization should be based on local macOS exposure and monitoring maturity.
Technical view
Validate monitoring for macOS use of kextstat and kextfind, along with file access to /System/Library/Extensions/. Focus review on unexpected execution by non-administrative users and scripts. Because no ATT&CK detection logic is provided, detection engineering should define local baselines for legitimate administrative, management, and troubleshooting activity before alerting broadly.
Likely telemetry
- macOS process execution events for kextstat and kextfind
- Command-line arguments and parent process context for those utilities
- User identity and privilege context, especially administrative versus non-administrative users
- Script or automation execution context launching these utilities
- File access telemetry for /System/Library/Extensions/
Detection direction
- Confirm endpoint telemetry captures process execution, command line, user context, and parent process data on macOS systems.
- Monitor for kextstat or kextfind usage by non-administrative users or scripts, as highlighted by the ATT&CK analytic.
- Monitor access to /System/Library/Extensions/ and correlate it with process, user, and administrative context.
- Tune against known IT administration, troubleshooting, software management, and approved maintenance workflows to reduce false positives.
- Because tactics and relationships are not supplied, avoid over-mapping alerts to a specific adversary objective without additional local evidence.
Mitigation priorities
- Establish or confirm macOS endpoint logging coverage for the utilities and path named in the analytic.
- Limit administrative privileges and script execution rights to approved users and workflows where business operations allow.
- Document legitimate kernel extension inspection or maintenance activity so SOC teams can distinguish expected operations from unusual behavior.
- Ensure incident response playbooks include triage questions for macOS kernel extension-related activity, including who ran the command, from what parent process, and whether it was scripted.
- Use monitoring results as compliance and control-evidence inputs where macOS endpoint visibility is in scope.
Analyst notes and limits
The object is a detection analytic for macOS only. It provides a concise monitoring objective but no formal detection query, tactic mapping, related techniques, mitigations, or data component relationships. The most useful implementation work is local validation: determine which macOS systems collect the required process and file access telemetry, then baseline expected administrative usage.
This take is limited to the supplied official fields and external reference. No relationship context, tactic, procedure example, adversary association, or official detection logic was provided. Local environment evidence is required to assess risk, expected activity, false positives, and alert severity.
Analytic 1597
Detect loading or inspection of kernel extensions (kextstat, kextfind) and file access to /System/Library/Extensions/. Monitor unexpected usage of these utilities by non-administrative users or scripts.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ae43b4b350ce… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1597Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.