AN0124: Analytic 0124
Installation of malicious .mobileconfig profiles or browser extension plist entries followed by abnormal browser child process activity.
Analyst context for executives and security teams
This analytic matters because it points to a macOS persistence or control-risk pattern: suspicious configuration profiles or browser extension property list entries followed by unusual browser-spawned child processes. For leaders, the value is not simply “detect a file”; it is validating whether managed macOS endpoints can prove when browser or profile configuration changes create a pathway for unwanted execution or policy manipulation.
Executive priority
Prioritize this as a macOS endpoint governance and SOC readiness question. Security leaders should ask whether the organization can inventory and review installed .mobileconfig profiles and browser extension plist changes, correlate those changes with process behavior, and produce evidence for incident response or compliance reviews. The business risk is highest where macOS devices are used by privileged users, developers, executives, or teams handling sensitive data, because configuration and browser-control changes can weaken endpoint trust and complicate response decisions.
Technical view
For SOC, detection engineering, and IR teams, validate visibility on macOS for two linked conditions: installation or modification of .mobileconfig profiles or browser extension plist entries, and subsequent abnormal child process activity from browsers. Because ATT&CK provides no official detection logic and no relationship context for this analytic, teams should define local baselines for expected profile management, approved browser extensions, and normal browser child processes before alerting broadly.
Likely telemetry
- macOS configuration profile inventory and installation/change events
- File or configuration monitoring for browser extension plist entries
- Endpoint process creation telemetry with parent-child process relationships
- Browser process lineage showing spawned child processes
- Device management or endpoint management records showing approved profile deployment
Detection direction
- Correlate new or modified .mobileconfig profiles and browser extension plist entries with unusual browser child processes on the same macOS host.
- Tune against legitimate mobile device management, enterprise configuration deployment, and approved browser extension updates to reduce false positives.
- Baseline normal browser child processes by browser, user role, and managed software stack; flag deviations rather than relying only on static process names.
- Check for visibility gaps where macOS configuration profile changes are handled only in management tooling and not available to the SOC.
- Because no official detection text is supplied, treat AN0124 as a detection concept requiring local engineering, testing, and validation.
Mitigation priorities
- Maintain an authoritative inventory of approved macOS configuration profiles and browser extensions.
- Restrict or govern who can install configuration profiles and browser extensions on managed macOS devices where policy allows.
- Ensure endpoint management and SOC telemetry can preserve evidence of profile, plist, and process-lineage changes.
- Review macOS hardening and browser extension governance for high-risk user groups first.
- Document approved administrative workflows so incident responders can distinguish sanctioned management activity from suspicious changes.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for macOS with a narrow description and no tactics, relationships, aliases, labels, or official detection procedure. The strongest use is as a validation prompt: can the organization connect configuration/profile changes to browser process behavior with enough fidelity for triage?
This take is limited to the official fields provided. It does not infer associated techniques, adversaries, campaigns, active exploitation, or guaranteed detection coverage. Local environment baselines, endpoint tooling, and macOS management practices are required to operationalize the analytic.
Analytic 0124
Installation of malicious .mobileconfig profiles or browser extension plist entries followed by abnormal browser child process activity.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 57a3d7961888… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0124Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.