AN1635: Analytic 1635

Detects exploitation of macOS security and integrity services, such as Gatekeeper, XProtect, or EDR agents. Defender observations include unsigned processes attempting privileged operations, abnormal termination of security daemons, or modification of system integrity logs.

EnterpriseAN1635AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic matters because it focuses on attempts to undermine macOS security controls rather than on a single malware family or tool. For leaders, the key decision value is whether the organization can see when Gatekeeper, XProtect, EDR agents, or related integrity services are being disabled, terminated, bypassed, or tampered with on macOS endpoints.

Executive priority

Prioritize this as a macOS endpoint resilience and incident-readiness validation item. If security services can be stopped or integrity logs modified without timely alerting, incident responders may lose trustworthy evidence and SOC teams may miss follow-on activity. This is especially relevant for organizations with meaningful macOS fleets, executive endpoints, developer workstations, or compliance requirements that depend on endpoint protection evidence.

Technical view

Validate visibility for macOS events involving unsigned processes attempting privileged operations, abnormal termination of security daemons, and modification of system integrity logs. Because ATT&CK does not provide a specific detection query or tactic mapping for this analytic, SOC teams should treat it as a detection engineering requirement: confirm which macOS security services are in scope, what normal restart/update behavior looks like, and whether endpoint telemetry distinguishes legitimate administration from suspicious tampering.

Likely telemetry

macOS process execution and code-signing status
Privileged operation attempts by processes
Security daemon status, termination, restart, and crash events
Gatekeeper and XProtect-related logs or configuration-change records
EDR agent health, tamper, service-stop, and policy-change telemetry

Detection direction

Baseline normal macOS security service behavior, including expected updates, restarts, and administrative maintenance.
Alert on unsigned or unexpected processes attempting privileged operations related to security or integrity services.
Correlate security daemon termination with process ancestry, user context, code-signing status, and endpoint protection health signals.
Monitor for modification or deletion of system integrity logs, while accounting for legitimate log rotation or OS maintenance activity.
Review blind spots where EDR self-protection, macOS unified logging, or endpoint management telemetry may be unavailable, delayed, or disabled.

Mitigation priorities

Maintain managed endpoint protection and tamper-resistance controls for macOS where available.
Restrict privileged access and administrative tooling to authorized users and managed processes.
Ensure macOS security services and endpoint agents are monitored for health, configuration drift, and unexpected termination.
Preserve endpoint logs needed for incident response and compliance evidence, including integrity-related records.
Test incident response procedures for cases where endpoint security tooling or logs may have been impaired.

Analyst notes and limits

No relationship context, tactic mapping, or official detection logic was supplied. The object is best used as a coverage-validation prompt for macOS security-control tampering and security-service exploitation scenarios, not as a complete detection rule.

This take is limited to the supplied ATT&CK analytic fields. It does not establish active exploitation, adversary attribution, business impact, or guaranteed detection coverage. Local macOS architecture, EDR capabilities, logging configuration, and administrative practices determine practical coverage.

Official MITRE ATT&CK definition

Analytic 1635

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 476a96f1f3ba5242...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`476a96f1f3ba…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1635
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use