Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0121: Analytic 0121

Detection of system calls or commands accessing system locale (e.g., 'defaults read -g AppleLocale', 'systemsetup -gettimezone'). Correlate with unusual parent processes or execution contexts.

EnterpriseAN0121AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting macOS processes that query system locale or time zone settings, such as AppleLocale or systemsetup timezone checks. On its own, this behavior can be benign, but it can matter to defenders because locale discovery may help software decide how to behave in a specific region or environment. The practical value is not the command alone; it is whether the query appears in an unusual execution chain or from an unexpected parent process.

Executive priority

Treat this as a focused macOS visibility and triage-quality check rather than a standalone high-confidence alert. Security leaders should ask whether endpoint telemetry can show which processes query locale and timezone settings, whether SOC playbooks correlate that activity with process ancestry, and whether macOS monitoring is mature enough to support incident response evidence. This can support resilience and audit readiness by validating that the organization can investigate suspicious execution context on macOS endpoints.

Technical view

For SOC and detection teams, the supplied ATT&CK analytic points to monitoring system calls or commands that access macOS locale settings, including examples such as `defaults read -g AppleLocale` and `systemsetup -gettimezone`. Detection value depends on correlating those events with parent process, execution context, user, host role, and nearby activity. Because no ATT&CK tactic, relationship, or official detection logic is supplied, this should be implemented as contextual enrichment or a low-severity analytic unless local baselining shows the parent process or execution pattern is abnormal.

Likely telemetry

  • macOS process creation events, including command line where available
  • Parent and grandparent process relationships
  • User account and session context for the process
  • Endpoint telemetry showing system calls or command execution related to locale or timezone access
  • Host inventory and role context to distinguish normal administrative or application behavior

Detection direction

  • Validate that macOS endpoint logging captures `defaults` and `systemsetup` executions with full command-line and parent-process context.
  • Baseline common legitimate sources of locale and timezone queries, because this behavior may occur during normal application startup, installers, scripts, device management, or user configuration checks.
  • Prioritize alerts where locale access is launched by unusual parent processes, unexpected automation, recently introduced binaries, or execution contexts that are uncommon for the host or user.
  • Avoid treating locale or timezone access as malicious by itself; the supplied analytic explicitly depends on correlation with unusual parent processes or execution contexts.
  • Document coverage gaps where system calls are not visible and only command-line execution is monitored.

Mitigation priorities

  • Ensure macOS endpoint monitoring is configured to retain process, command-line, parent-process, user, and host context needed for investigation.
  • Create or tune SOC triage guidance for locale/timezone discovery events so analysts review ancestry and execution context before escalation.
  • Use allowlisting or suppression for known administrative, device-management, installer, and application behaviors after local validation.
  • Strengthen incident response evidence collection for macOS endpoints so analysts can reconstruct suspicious process chains around discovery-like activity.
  • Review macOS security monitoring coverage as part of broader managed detection, IR readiness, and compliance evidence efforts.
Analyst notes and limits

This object is a MITRE ATT&CK detection analytic, not a technique. It is scoped to macOS and describes detection of commands or system calls accessing system locale information, with emphasis on correlation against unusual parent processes or execution contexts. No relationships, tactics, aliases, or official detection implementation were supplied.

The supplied ATT&CK fields do not provide a tactic, related technique, procedure examples, severity, data source list, or complete detection logic. Any production rule, severity rating, or response workflow requires local macOS telemetry, baselining, and environment-specific validation.

Official MITRE ATT&CK definition

Analytic 0121

Detection of system calls or commands accessing system locale (e.g., 'defaults read -g AppleLocale', 'systemsetup -gettimezone'). Correlate with unusual parent processes or execution contexts.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c084ea23cab54422...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c084ea23cab5…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0121
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use