Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1359: Analytic 1359

Detects anomalous use of Mach ports, Apple Events, or XPC services for inter-process execution or code injection. Focuses on unexpected processes attempting to send privileged Apple Events (e.g., automation scripts injecting into security-sensitive apps).

EnterpriseAN1359AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it focuses on suspicious macOS inter-process activity: unexpected use of Mach ports, Apple Events, or XPC services to drive execution or inject code into other processes, especially security-sensitive applications. For leaders, the value is not that this single ATT&CK analytic proves compromise, but that it highlights a macOS visibility question: can the organization see when automation or IPC mechanisms are being used in ways that could affect endpoint integrity and incident response confidence?

Executive priority

Prioritize this where macOS systems support privileged users, developers, executives, administrators, or regulated workflows. The business risk is loss of confidence in endpoint control and investigation evidence if security-sensitive applications can be manipulated through unexpected inter-process mechanisms without reliable telemetry. Leaders should ask whether macOS monitoring, managed detection, and IR playbooks include Apple Events, Mach port, and XPC abuse scenarios, and whether exceptions for legitimate automation are documented for audit and response decisions.

Technical view

For SOC, detection engineering, and IR teams, validate whether macOS telemetry can identify unusual processes attempting privileged Apple Events, interacting with Mach ports, or invoking XPC services in unexpected ways. Because the ATT&CK object provides no formal detection logic, teams should build environment-specific baselines for normal automation and IPC activity, then focus review on unexpected source processes, security-sensitive target applications, unusual parent-child context, and activity inconsistent with approved administration or automation patterns.

Likely telemetry

  • macOS endpoint security or EDR events showing process execution and process relationships
  • Apple Events or automation-related telemetry where available
  • XPC service invocation or inter-process communication telemetry where available
  • Mach port interaction telemetry where available
  • Application authorization, privacy, or automation permission records relevant to Apple Events

Detection direction

  • Confirm that macOS data sources can expose Apple Events, XPC, and Mach port activity rather than only standard process creation events.
  • Baseline legitimate automation scripts, management tools, developer workflows, and administrative utilities to reduce false positives.
  • Prioritize anomalies where unexpected processes attempt to control or interact with security-sensitive applications.
  • Correlate IPC activity with process lineage, user context, application permissions, and recent changes to automation approvals.
  • Treat sparse or missing macOS IPC telemetry as a coverage gap; absence of alerts should not be interpreted as absence of activity.

Mitigation priorities

  • Inventory legitimate macOS automation and inter-process workflows, especially those involving privileged or security-sensitive applications.
  • Limit and review application automation permissions and administrative access where business processes allow.
  • Harden endpoint monitoring requirements for macOS so IPC and automation abuse can be investigated, not just process execution.
  • Document approved exceptions for management scripts, automation tools, and developer utilities to support SOC triage and compliance evidence.
  • Ensure incident response playbooks include collection of macOS process context, automation permissions, and relevant endpoint logs when suspicious IPC behavior is observed.
Analyst notes and limits

This is a detection analytic object for macOS focused on anomalous Mach port, Apple Events, or XPC service use for inter-process execution or code injection. The supplied ATT&CK fields do not include tactics, relationships, or official detection pseudocode, so the strongest use is as a validation prompt for macOS visibility, baselining, and triage readiness.

The official detection field is not provided, and no relationship context is supplied. This take does not infer specific techniques, adversaries, active exploitation, impact, or guaranteed detection coverage. Local endpoint telemetry, approved automation inventory, and security-sensitive application context are required to make the analytic operational.

Official MITRE ATT&CK definition

Analytic 1359

Detects anomalous use of Mach ports, Apple Events, or XPC services for inter-process execution or code injection. Focuses on unexpected processes attempting to send privileged Apple Events (e.g., automation scripts injecting into security-sensitive apps).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
747223548cf8b04b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 747223548cf8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1359
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use