Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0050: Analytic 0050

Adversary attempts to detect monitoring agents such as Little Snitch, KnockKnock, or other system daemons via process listing (`ps -e`), application folder checks, and system extension listing.

EnterpriseAN0050AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic describes macOS adversary behavior focused on finding security monitoring tools before continuing an operation. For leaders, the key issue is not the specific command alone; it is that an intruder may check whether endpoint controls, network monitors, or security daemons are present and adapt accordingly. That makes this behavior relevant to SOC visibility validation, macOS endpoint hardening, and incident response scoping.

Executive priority

Prioritize this as a coverage-validation item for environments with meaningful macOS exposure. Security leaders should ask whether macOS process activity, application inventory, and system extension visibility are actually collected and usable during investigations. This behavior can indicate an adversary assessing defensive tooling, so it supports decisions about endpoint monitoring maturity, audit evidence for control operation, and IR readiness. Because ATT&CK provides no detection logic or relationships here, it should be treated as a validation target rather than proof of compromise by itself.

Technical view

For SOC, detection engineering, and IR teams, validate visibility into macOS activity involving process listing such as `ps -e`, checks of application folders, and listing or enumeration of system extensions when those actions appear directed at monitoring agents such as Little Snitch, KnockKnock, or other security/system daemons. Since no official detection is supplied, detection should be environment-specific and tuned against legitimate admin, IT support, EDR health-check, and software inventory activity. Investigations should focus on user, parent process, host role, timing, and whether enumeration is followed by additional suspicious behavior.

Likely telemetry

  • macOS process execution telemetry, including command-line arguments where available
  • Parent-child process context for shell, terminal, management, or scripting activity
  • File system or application inventory evidence for checks of application folders
  • System extension listing or configuration telemetry
  • Endpoint security or EDR events related to security agent discovery

Detection direction

  • Build or validate detections for macOS commands and scripts that enumerate processes, application folders, or system extensions in ways that reference monitoring agents or security daemons.
  • Tune detections against known-good IT administration, software deployment, compliance inventory, and security tool health-check workflows to reduce false positives.
  • Correlate enumeration with surrounding activity rather than alerting on `ps -e` alone, which is commonly legitimate.
  • Confirm whether telemetry captures command-line content and system extension enumeration; without those fields, coverage may be limited.
  • Use this analytic as a macOS detection gap assessment because ATT&CK does not provide a ready-made detection rule.

Mitigation priorities

  • Maintain reliable macOS endpoint telemetry for process execution, application inventory, and system extension state.
  • Limit unnecessary local administrative access and script execution paths where feasible so defensive-tool discovery is harder to perform unnoticed.
  • Ensure security monitoring tools are managed, tamper-resistant where supported, and included in routine health validation.
  • Document legitimate administrative workflows that enumerate processes or installed applications so SOC teams can tune detections and preserve audit evidence.
  • Include macOS security-tool discovery checks in incident response playbooks and threat-hunting baselines.
Analyst notes and limits

The object is a detection analytic for macOS only. It describes adversary attempts to detect monitoring agents such as Little Snitch, KnockKnock, or other daemons through process listing, application folder checks, and system extension listing. No tactics, detection text, aliases, labels, or relationship context were supplied, so the take emphasizes defensive validation and telemetry readiness rather than asserting specific ATT&CK technique coverage or threat actor behavior.

Official detection is not provided, and no relationships are supplied. This limits confidence in specific correlation logic, severity, related techniques, or expected follow-on behavior. Local macOS fleet composition, endpoint tooling, administrative practices, and available telemetry are required to determine operational value and alert priority.

Official MITRE ATT&CK definition

Analytic 0050

Adversary attempts to detect monitoring agents such as Little Snitch, KnockKnock, or other system daemons via process listing (`ps -e`), application folder checks, and system extension listing.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
189d744fbeffca46...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 189d744fbeff…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0050
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use