AN1639: Analytic 1639
SSH login detected via Unified Logs, followed by unusual process execution, especially outside normal user behavior patterns.
Analyst context for executives and security teams
This analytic matters because it looks for a potentially important macOS access pattern: an SSH login followed by unusual process execution in Unified Logs. For leaders, the value is not just “detect SSH,” but confirming whether remote access to Mac systems is visible enough for the SOC to distinguish normal administration from suspicious post-login activity.
Executive priority
Prioritize this where macOS systems are used for privileged administration, development, sensitive data access, or operational workflows. The business question is whether the organization can prove who accessed a Mac over SSH and what happened immediately afterward. This supports incident triage, audit evidence for remote access oversight, and decisions about whether macOS logging and behavior baselining are mature enough for managed detection or IR readiness.
Technical view
Validate that macOS Unified Logs are collected, retained, and searchable for SSH login events and subsequent process execution. Because the official detection logic is not provided and no ATT&CK tactic is specified, teams should treat this as a detection-validation prompt rather than a finished rule. Focus on correlating successful SSH access with process launches that are unusual for the user, host, time window, or administrative baseline.
Likely telemetry
- macOS Unified Logs
- SSH authentication or login events on macOS
- Process execution records following SSH login
- User and host context for normal behavior baselining
- Timestamps sufficient to correlate login and post-login activity
Detection direction
- Confirm Unified Logs from macOS endpoints are centrally collected and normalized with user, host, process, and timestamp fields preserved.
- Test whether the SOC can correlate an SSH login to process execution in a defined follow-on window.
- Baseline expected SSH administration patterns to reduce false positives from legitimate remote management, developer activity, or scripted maintenance.
- Tune for unusual process execution relative to normal user behavior, because the official description emphasizes deviations from user patterns.
- Document blind spots where macOS hosts do not forward Unified Logs, SSH is disabled from logging, or process execution telemetry is incomplete.
Mitigation priorities
- Inventory macOS systems where SSH is enabled and confirm there is a business owner and approved use case.
- Restrict SSH access to authorized users and administrative paths consistent with local policy.
- Ensure macOS logging and retention support post-login investigation before relying on this analytic operationally.
- Use behavior baselines and change-control context to separate expected administration from suspicious post-login activity.
- Include this scenario in IR readiness exercises for macOS remote access investigations.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for macOS with a concise description: SSH login via Unified Logs followed by unusual process execution. No tactic, detection logic, relationships, aliases, labels, or related techniques were supplied, so the take focuses on validation and operationalization rather than specific adversary procedure mapping.
Official detection content is not provided, and no relationships or tactics are supplied. Local environment evidence is required to define what counts as unusual process execution, what SSH activity is legitimate, and whether Unified Log collection is complete enough for reliable alerting.
Analytic 1639
SSH login detected via Unified Logs, followed by unusual process execution, especially outside normal user behavior patterns.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 036fe64e9697… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1639Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.