AN2040: Analytic 2040
Detects crafted activity resulting in crashes or impairment of endpoint security extensions, network filters, launch daemons, or telemetry agents. Correlates process activity, system extension state changes, and telemetry interruption.
Analyst context for executives and security teams
This analytic is about spotting attempts to impair macOS security and telemetry components, such as endpoint security extensions, network filters, launch daemons, or telemetry agents. For leaders, the practical issue is not only malware execution; it is loss of visibility. If an attacker can crash or disrupt the tools that generate alerts and evidence, SOC and incident response teams may make decisions with incomplete data.
Executive priority
Prioritize this as a resilience and assurance control for macOS environments where endpoint telemetry supports incident response, compliance evidence, or executive risk reporting. Security leaders should ask whether critical macOS monitoring components are inventoried, health-checked, and alertable when they stop reporting, not just whether malware detections exist. This is especially relevant for budget and control decisions around managed detection, endpoint management, and audit readiness.
Technical view
For SOC, detection engineering, and IR teams, validate correlation across macOS process activity, system extension state changes, launch daemon behavior, network filter status, and telemetry interruption. Because ATT&CK provides no specific detection logic for AN2040, teams should focus on coverage validation: can they see security extension crashes, unloads, disabled states, abnormal restarts, agent silence, and nearby process activity that may explain the disruption? Treat this as a detection-health and tamper-resistance analytic rather than a single indicator match.
Likely telemetry
- macOS process execution and parent/child process context
- System extension state changes and crash events
- Endpoint security extension health/status events
- Network filter status or interruption events
- Launch daemon load, unload, restart, and failure events
Detection direction
- Validate that macOS endpoint security component failures generate alerts even when the endpoint agent itself is degraded.
- Correlate telemetry interruption with recent local process activity and system extension or launch daemon changes.
- Tune for operational noise from legitimate software updates, agent upgrades, OS updates, reboots, and approved security tool maintenance.
- Look for clusters: repeated crashes, unexpected extension state changes, network filter interruption, and loss of heartbeat in a short time window.
- Confirm blind spots where telemetry loss prevents event collection; management-plane health data may be more reliable than endpoint-local logs during impairment.
Mitigation priorities
- Maintain an authoritative inventory of macOS security extensions, network filters, launch daemons, and telemetry agents that must remain healthy.
- Implement independent health monitoring and alerting for security tooling, including heartbeat loss and unexpected service interruption.
- Restrict administrative changes to security components using standard identity, device management, and change-control processes.
- Test incident response procedures for cases where endpoint telemetry is partially unavailable or intentionally impaired.
- Review compliance evidence requirements to ensure telemetry outages are recorded, investigated, and explainable.
Analyst notes and limits
AN2040 is a detection analytic for macOS focused on crafted activity that causes crashes or impairment of security extensions, network filters, launch daemons, or telemetry agents. The key decision value is validating whether defenders can detect loss of visibility and correlate it with nearby system activity.
The supplied ATT&CK object does not include official detection logic, tactics, relationships, aliases, or procedure examples. This take is therefore limited to the official description, macOS platform scope, and external reference. Local baselines and tooling details are required to define exact thresholds and alert logic.
Analytic 2040
Detects crafted activity resulting in crashes or impairment of endpoint security extensions, network filters, launch daemons, or telemetry agents. Correlates process activity, system extension state changes, and telemetry interruption.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 042ead821b76… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN2040Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.