AN0097: Analytic 0097
Monitors execution of ps, top, or launchctl with unusual parent processes or from terminal scripts. Also detects AppleScript-based process listing or `system_profiler SPApplicationsDataType` misuse.
Analyst context for executives and security teams
Analytic 0097 is a macOS-focused detection analytic for suspicious process and application discovery behavior, such as unusual use of ps, top, launchctl, AppleScript-based process listing, or system_profiler SPApplicationsDataType. For leaders, the value is not the individual commands themselves, which can be legitimate, but whether the organization can distinguish routine administration from activity that may indicate hands-on-keyboard discovery or scripted reconnaissance on macOS endpoints.
Executive priority
Prioritize this as a validation point for macOS endpoint visibility and SOC readiness. If macOS systems support executives, developers, administrators, or regulated workflows, gaps in process execution telemetry can limit incident response scoping and audit evidence. Security leaders should ask whether macOS command execution, parent-child process context, terminal script activity, AppleScript execution, and application inventory queries are collected and usable during investigations.
Technical view
SOC and detection teams should validate monitoring for execution of ps, top, launchctl, AppleScript-driven process listing, and system_profiler SPApplicationsDataType on macOS, especially when launched by unusual parent processes or terminal scripts. Because the official object provides no detection logic and no ATT&CK relationships, teams should treat this as a detection engineering prompt rather than a ready-to-deploy rule. Tuning should focus on parent process context, script execution context, command-line arguments where available, user identity, host role, and expected administrative baselines.
Likely telemetry
- macOS process creation events
- Command-line arguments for ps, top, launchctl, osascript or AppleScript-related execution, and system_profiler
- Parent-child process relationships
- Terminal and shell script execution context
- User and host identity context
Detection direction
- Confirm that macOS endpoint telemetry captures both process names and parent processes, not only binary execution counts.
- Baseline legitimate administrative and troubleshooting use of ps, top, launchctl, AppleScript, and system_profiler to reduce false positives.
- Review detections for unusual parent processes, scripted execution, or process/application discovery activity outside expected administrator workflows.
- Correlate suspicious discovery activity with user, host role, recent script execution, and other endpoint events before escalating.
- Identify blind spots where privacy controls, logging configuration, or EDR coverage may suppress command-line or AppleScript visibility.
Mitigation priorities
- Ensure managed macOS endpoints have consistent endpoint monitoring and logging coverage.
- Restrict and govern administrative scripting privileges according to least privilege and role-based need.
- Maintain baselines for approved administrative tools and expected process discovery workflows.
- Use application control, script control, or endpoint policy where appropriate to limit unauthorized automation while preserving legitimate operations.
- Document macOS telemetry availability and detection validation results for incident response and compliance evidence.
Analyst notes and limits
This object is a detection analytic, not a technique or procedure. The supplied ATT&CK fields identify macOS as the platform and describe suspicious process/application discovery monitoring patterns, but provide no official detection implementation, tactics, or relationship context. Local baselining is essential because the named utilities are common legitimate tools.
No official detection text, tactics, mapped techniques, data components, or relationships were supplied. This take therefore cannot assert specific ATT&CK technique coverage, adversary usage, active exploitation, or guaranteed detection outcomes. Validation must rely on the organization’s macOS telemetry and operational baselines.
Analytic 0097
Monitors execution of ps, top, or launchctl with unusual parent processes or from terminal scripts. Also detects AppleScript-based process listing or `system_profiler SPApplicationsDataType` misuse.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4ae88a3356c5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0097Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.