AN0026: Analytic 0026
Correlates launchd plist modifications with subsequent unauthorized script execution or anomalous parent-child process trees involving user agents.
Analyst context for executives and security teams
This analytic matters because macOS launchd property list changes can affect how software or user agents start and run. Correlating those changes with later script execution or unusual parent-child process activity helps defenders distinguish routine configuration activity from behavior that may require investigation. For leaders, the decision value is whether macOS endpoint monitoring can connect configuration changes to process behavior quickly enough to support incident response and continuity decisions.
Executive priority
Prioritize this as a macOS endpoint visibility and response-readiness question. Security leaders should ask whether SOC and IR teams can prove collection of launchd plist modification events, script execution evidence, and process lineage on managed macOS systems. This is also useful for audit and compliance evidence where endpoint change monitoring, unauthorized execution review, or privileged workstation controls are expected.
Technical view
For SOC and detection engineering teams, validate whether macOS telemetry can correlate three elements: launchd plist modifications, subsequent script execution, and anomalous parent-child process trees involving user agents. Because the ATT&CK object does not provide a full detection rule or tactic mapping, implementation should be environment-specific and tuned against known administrative tools, software update mechanisms, endpoint management agents, and developer workflows that legitimately modify launchd-related files or spawn scripts.
Likely telemetry
- macOS file modification events for launchd property list locations
- process creation events with parent-child process lineage
- script interpreter execution events
- user context associated with plist changes and subsequent processes
- endpoint management or administrative tool activity that may explain authorized changes
Detection direction
- Confirm that plist modification telemetry and process telemetry are collected from macOS endpoints and can be joined by host, user, and time window.
- Tune for known-good software installation, update, endpoint management, and administrative maintenance activity to reduce false positives.
- Review anomalous user-agent parent-child process trees, especially when closely preceded by launchd plist changes.
- Validate that script execution visibility includes common macOS scripting paths and interpreters without assuming coverage from process telemetry alone.
- Use this analytic as a correlation pattern rather than a standalone alert because no official detection logic is supplied.
Mitigation priorities
- Establish controlled change management for macOS launchd-related configuration where operationally feasible.
- Limit who can modify startup or user-agent configuration on managed macOS systems through appropriate endpoint and identity controls.
- Maintain endpoint logging that preserves file modification, process creation, user, and timestamp context for investigations.
- Baseline legitimate launchd plist changes from management tools, software updates, and approved administrative activity.
- Ensure incident response playbooks include triage of recent plist changes and related script or process activity on macOS hosts.
Analyst notes and limits
This is a detection analytic object, not a technique description. The supplied ATT&CK fields identify macOS as the platform and describe a correlation between launchd plist modifications, unauthorized script execution, and anomalous user-agent process trees. No tactics, related techniques, adversary relationships, or official detection logic were supplied, so local engineering decisions must define thresholds, time windows, and allowlists.
The object provides a concise description only. There is no official detection content, no relationship context, and no stated tactic mapping. This take should not be read as evidence of active exploitation, attribution, impact, or confirmed coverage in any environment.
Analytic 0026
Correlates launchd plist modifications with subsequent unauthorized script execution or anomalous parent-child process trees involving user agents.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 921508d6f3d5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0026Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.