Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0011: Analytic 0011

Modification of PATH or HOME environment variables through shell config files, launchctl, or /etc/paths.d entries, combined with process execution from attacker-controlled directories. Defender correlates file changes in /etc/paths.d with process execution resolving to malicious binaries.

EnterpriseAN0011AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because macOS environment variable changes can quietly alter which programs run when users or services execute commands. For leaders, the practical risk is not the variable change by itself; it is the combination of a PATH or HOME change and later execution of binaries from directories an attacker controls. That combination can undermine trust in normal administrative activity and make incident triage harder if endpoint and file-change telemetry are incomplete.

Executive priority

Prioritize this as a macOS endpoint visibility and response-readiness question: can the organization prove when shell configuration files, launchctl settings, or /etc/paths.d entries change, and can it link those changes to subsequent process execution paths? This is relevant for business continuity and audit evidence because weak coverage can leave teams unable to explain whether a suspicious macOS process was launched through expected configuration or through manipulated execution resolution.

Technical view

Validate collection and correlation for macOS changes affecting PATH or HOME through shell config files, launchctl, and /etc/paths.d entries. The key analytic idea supplied by ATT&CK is correlation: file changes in /etc/paths.d should be reviewed alongside process execution that resolves to binaries in attacker-controlled or otherwise unusual directories. Because no ATT&CK tactic or formal detection logic is supplied, teams should tune this around local baselines for legitimate developer tooling, administration scripts, and managed software that legitimately modify environment paths.

Likely telemetry

  • macOS file modification events for shell configuration files
  • macOS file modification events for /etc/paths.d entries
  • launchctl configuration or environment-related activity
  • Process execution telemetry with full executable path
  • Parent-child process context for launched processes

Detection direction

  • Confirm that file-change monitoring covers /etc/paths.d and relevant shell configuration locations on macOS systems.
  • Correlate environment-related file changes with later process execution where the resolved executable path is outside expected or managed directories.
  • Baseline legitimate PATH or HOME modifications from administrators, developer tools, and endpoint management workflows to reduce false positives.
  • Review whether process telemetry records the actual executable path, not only the command name, because PATH manipulation is most meaningful when resolution location is visible.
  • Treat isolated environment-variable changes as lower-confidence unless paired with suspicious execution context, unusual directory ownership, or unexpected user activity.

Mitigation priorities

  • Ensure macOS endpoint logging captures both configuration file changes and process execution details before relying on this analytic.
  • Restrict write access to system-wide path configuration locations such as /etc/paths.d to authorized administrative workflows.
  • Review endpoint management practices so legitimate environment changes are documented and distinguishable from unexpected local changes.
  • Use incident response playbooks that preserve modified configuration files, process lineage, user context, and timestamps for macOS investigations.
  • Align detection validation with compliance evidence needs by retaining records showing who changed path-related configuration and what executed afterward.
Analyst notes and limits

The supplied object is a detection analytic, not a technique, and no relationship context is provided. The most defensible interpretation is to focus on macOS correlation between environment path manipulation and process execution from suspicious or attacker-controlled locations. Local environment baselines are essential because legitimate software and developer workflows may modify PATH-related settings.

ATT&CK did not provide a tactic, formal detection field, relationships, aliases, or broader procedure examples for this object. The phrase attacker-controlled directories is present in the official description, but determining whether a directory is attacker-controlled requires local ownership, permission, provenance, and incident context. No claim can be made here about active exploitation, attribution, impact, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Analytic 0011

Modification of PATH or HOME environment variables through shell config files, launchctl, or /etc/paths.d entries, combined with process execution from attacker-controlled directories. Defender correlates file changes in /etc/paths.d with process execution resolving to malicious binaries.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f2e09eead2d05bf9...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f2e09eead2d0…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0011
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use