Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1307: Analytic 1307

macOS environmental keying behavioral chain: (1) System information discovery through native utilities (system_profiler, sw_vers, hostname, dscl) and Security framework queries, (2) Hardware and software enumeration including serial numbers, installed applications, and system versions, (3) Network configuration assessment (networksetup, scutil) and wireless network discovery, (4) Keychain and security context validation, (5) Unified Logs correlation with cryptographic framework usage (CommonCrypto, Security.framework), (6) Application bundle execution following environmental validation

EnterpriseAN1307AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN1307 describes a macOS-focused behavioral chain where software checks the host environment before running an application bundle: system identity, hardware/software details, network configuration, wireless context, keychain/security state, and related cryptographic or Security.framework activity. For leaders, the value is not that any one native command is malicious; it is that coordinated environmental validation can indicate software deciding whether, where, or how to execute on a Mac endpoint.

Executive priority

Prioritize this as a macOS detection-readiness and incident-triage question: can the organization reconstruct suspicious application execution when it is preceded by native discovery, network assessment, keychain/security checks, and Unified Log evidence? This matters for SOC coverage, IR evidence quality, and audit confidence around managed Mac fleets, especially where executives rely on macOS endpoints for privileged business operations or development work.

Technical view

SOC and detection teams should validate whether macOS endpoint telemetry can correlate native utilities such as system_profiler, sw_vers, hostname, dscl, networksetup, and scutil with application bundle execution and relevant Security.framework/CommonCrypto or keychain-related context. Because ATT&CK provides no official detection logic for this analytic, coverage should focus on behavioral sequencing, parent/child process context, command-line visibility, timing relationships, and whether the same application or user session performs multiple environment checks before execution.

Likely telemetry

  • macOS process execution events for native discovery utilities
  • Command-line arguments and parent/child process relationships
  • Application bundle execution events and file path/signing context where available
  • Unified Logs related to Security.framework, CommonCrypto, keychain, or security context activity
  • Network configuration and wireless discovery command usage

Detection direction

  • Build or validate correlation around multiple macOS environment-discovery actions followed by application bundle execution rather than alerting on single native utility usage.
  • Tune for legitimate administrative, inventory, MDM, help desk, and security tooling that commonly uses the listed utilities.
  • Check whether Unified Logs are retained and searchable long enough to support correlation with process telemetry during investigations.
  • Confirm visibility into command-line arguments; without them, system_profiler, networksetup, scutil, and similar utilities may be too generic for reliable triage.
  • Use local baselining for managed Mac fleets because normal software inventory, compliance agents, and enterprise management workflows can resemble parts of this chain.

Mitigation priorities

  • Ensure macOS endpoint monitoring captures process execution, command line, application launch, and relevant log data before relying on this analytic operationally.
  • Maintain authoritative inventory of approved management, security, and software-distribution tools to reduce false positives.
  • Review controls around application execution, trusted software sources, and managed device configuration for macOS fleets.
  • Preserve sufficient endpoint and Unified Log retention for incident response reconstruction.
  • Document detection coverage and known blind spots as compliance or readiness evidence where macOS endpoints are in scope.
Analyst notes and limits

This object is a detection analytic, not a technique or threat actor entry. No tactics, relationships, official detection logic, aliases, or labels were supplied. The strongest use is as a validation pattern for macOS telemetry correlation around environmental keying behavior.

The supplied ATT&CK fields do not provide detection pseudocode, data source mappings, mitigations, adversary relationships, active exploitation claims, or impact details. Local environment baselines and telemetry availability are required to determine whether this can be detected reliably.

Official MITRE ATT&CK definition

Analytic 1307

macOS environmental keying behavioral chain: (1) System information discovery through native utilities (system_profiler, sw_vers, hostname, dscl) and Security framework queries, (2) Hardware and software enumeration including serial numbers, installed applications, and system versions, (3) Network configuration assessment (networksetup, scutil) and wireless network discovery, (4) Keychain and security context validation, (5) Unified Logs correlation with cryptographic framework usage (CommonCrypto, Security.framework), (6) Application bundle execution following environmental validation

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f64cce0a81bfd4e8...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f64cce0a81bf…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1307
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use