Full Report
Unit 42 has discovered a new macOS Tahoe 26 forensic artifact that tracks user menu selections across the operating system. Learn more here. The post Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered appeared first on Unit 42.
Analysis Summary
# Tool/Technique: MacOS Tahoe 26 App.MenuItem Biome Artifact
## Overview
The `App.MenuItem` is a newly discovered digital forensic artifact in macOS Tahoe 26. Part of the specialized Apple Biome system, this artifact tracks and logs specific user menu selections across the operating system. It provides high-granularity data regarding "digital intent," allowing investigators to reconstruct step-by-step user workflows, such as file compression for exfiltration or deliberate data destruction.
## Technical Details
- **Type**: Forensic Artifact / Technique (Tracing User Intent)
- **Platform**: macOS Tahoe (version 26.x)
- **Capabilities**: Logging of menu item text, timestamps of interactions, and application-specific UI actions.
- **First Seen**: June 12, 2026 (Reported by Unit 42)
## MITRE ATT&CK Mapping
- **[TA0007 - Discovery]**
- **[T1082 - System Information Discovery]**: While primarily a forensic artifact, knowledge of these logs allows actors to identify what traces they are leaving.
- **[TA0009 - Collection]**
- **[T1119 - Automated Collection]**: Biome streams automatically collect user interaction data for OS features (e.g., suggestions), which can be repurposed by researchers or attackers.
- **[TA0010 - Exfiltration]**
- **[T1020 - Automated Exfiltration]**: Useful for investigators to identify when a user or actor selected "Compress" or "Share" via UI menus.
## Functionality
### Core Capabilities
- **Menu Tracking**: Records specific text from menu selections (e.g., "Move to Trash," "Go to Folder," "Save...").
- **Temporal Context**: Provides precise timestamps for every menu interaction, enabling the creation of a chronological narrative of user activity.
- **UI Interaction Mapping**: Captures interactions with the Dock and specific application menus (e.g., Finder, TextEdit).
### Advanced Features
- **Workflow Reconstruction**: Enables investigators to see the intent behind file system events—distinguishing between a system-automated delete and a manual "Empty Trash" command.
- **Persistence**: Stored in SEGB-encapsulated protobuf format within the Biome stream architecture, which is generally not cleared by standard user-level log cleaning.
## Indicators of Compromise
*Note: As this is a forensic artifact rather than a malware sample, traditional IOCs like hashes and C2s are not applicable. Instead, use these behavioral/location indicators.*
- **File Paths**: `~/Library/Biome/streams/restricted/App.MenuItem/local`
- **File Format**: SEGB-encapsulated Protobuf entries.
- **Behavioral Indicators**:
- Use of the `ccl-segb` tool to access restricted Biome streams.
- Specific menu-driven patterns such as: `Go to Folder` -> `Compress [Folder]` -> `Move to Trash` -> `Empty Trash`.
## Associated Threat Actors
- **N/A**: This is an OS-level artifact used by forensic examiners. However, it is highly relevant for investigating **Insider Threats** and **Hands-on-Keyboard attackers** who utilize the macOS GUI.
## Detection Methods
- **Manual Analysis**: Exporting the local Biome stream and parsing it via the `ccl-segb` Python script.
- **Behavioral detection**: Monitoring for unauthorized access to the `~/Library/Biome/` directory, specifically within the `restricted` subfolder.
- **Forensic Tools**: Modern forensic suites may require updates to natively parse the `App.MenuItem` stream.
## Mitigation Strategies
- **Data Protection**: Implementation of Full Disk Encryption (FileVault) to prevent offline forensic analysis of Biome streams.
- **Access Control**: Restricting administrative privileges to prevent the extraction of Biome data from the `restricted` directory.
- **Privacy Settings**: Reviewing macOS "Siri & Suggestions" or "Analytics" settings, which often populate these Biome streams.
## Related Tools/Techniques
- **ccl-segb**: An open-source Python tool used to parse Biome SEGB files.
- **KnowledgeC.db**: A related macOS/iOS database that tracks app usage and user activity.
- **Apple Biome Streams**: The underlying framework for tracking user behavior (Media consumption, App usage).