Analytics Story: MacOS Persistence Techniques

Date: 2026-02-26 ID: 3fc4619d-4a13-45f8-95a2-51056e221a1c Author: Raven Tait, Splunk Product: Splunk Enterprise Security

Description

Monitor for activities and techniques associated with maintaining persistence on a MacOS system--a sign that an adversary may have compromised your environment.

Why it matters

Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a MacOS environment.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
MacOS Account Created	Create Account	Anomaly
MacOS Gatekeeper Bypass	Gatekeeper Bypass	Anomaly
MacOS Hidden Files and Directories	Hidden Files and Directories	Anomaly
MacOS Kextload Usage	Create or Modify System Process	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Osquery Results	Other	`osquery:results`	`osquery`

References

Source: GitHub | Version: 1