AN0129: Analytic 0129
Execution of scripts or binaries that check for virtualization indicators (e.g., system_profiler, ioreg -l, kextstat), combined with delay functions or anomalous launchd activity.
Analyst context for executives and security teams
This analytic is about spotting macOS activity that looks like environment checking: scripts or binaries querying virtualization indicators and pairing that behavior with delay logic or unusual launchd activity. For leaders, the value is not just “malware detection”; it is a way to validate whether SOC telemetry can identify software that may be trying to determine whether it is running in an analysis or sandbox environment before proceeding.
Executive priority
Prioritize this as a macOS detection-readiness and incident-triage control. It helps answer whether the organization can see suspicious pre-execution or staging behavior on managed macOS endpoints, especially where business-critical users, developers, or administrators rely on macOS systems. Because ATT&CK provides no official detection logic or relationship context for this analytic, leaders should treat it as a validation requirement rather than evidence of current coverage.
Technical view
For SOC and detection engineering teams, validate visibility into macOS process execution involving virtualization-checking utilities or commands such as system_profiler, ioreg -l, and kextstat, especially when correlated with delay functions or anomalous launchd activity. Since no ATT&CK detection text or related techniques are supplied, detection should be tested locally against normal administrative, troubleshooting, MDM, developer, and security-tool behavior to avoid over-alerting.
Likely telemetry
- macOS process creation and command-line telemetry
- Script interpreter execution on macOS
- launchd job, plist, or service activity records
- Endpoint security or EDR events showing parent-child process relationships
- Timestamps needed to correlate execution delays with later activity
Detection direction
- Confirm that macOS endpoint telemetry captures command lines for system_profiler, ioreg -l, kextstat, and script or binary parents.
- Correlate virtualization-indicator checks with suspicious timing patterns, delay behavior, or unusual launchd activity rather than alerting on single benign commands alone.
- Baseline legitimate IT, developer, virtualization, MDM, and security-tool usage to reduce false positives.
- Validate whether launchd visibility includes creation, modification, and execution context, not only final process execution.
- Document blind spots where macOS privacy controls, limited EDR deployment, or incomplete command-line collection reduce analytic value.
Mitigation priorities
- Ensure managed macOS endpoints have reliable endpoint telemetry and command-line collection where policy permits.
- Harden and monitor launchd-related persistence and execution paths using existing macOS management and security controls.
- Limit unnecessary local administrative privileges and review software allowed to create or modify launchd jobs.
- Use incident-response playbooks that treat virtualization checks plus delay or anomalous launchd behavior as triage signals requiring context, not automatic confirmation of compromise.
- Maintain audit evidence showing which macOS populations are covered and where collection gaps remain.
Analyst notes and limits
The ATT&CK object is a detection analytic for macOS only. Its official description identifies virtualization-indicator checks combined with delay functions or anomalous launchd activity, but it does not provide detection pseudocode, tactics, related techniques, or relationships. Local baselining is essential because the named utilities can be used for legitimate inventory, troubleshooting, development, or security operations.
This take is limited to the supplied STIX fields, external reference, and absence of relationship context. It does not assert active exploitation, attribution, business impact, or guaranteed detectability. Detection quality depends on local macOS telemetry depth, command-line visibility, launchd monitoring, and environment-specific baselines.
Analytic 0129
Execution of scripts or binaries that check for virtualization indicators (e.g., system_profiler, ioreg -l, kextstat), combined with delay functions or anomalous launchd activity.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1f16fcd8433d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0129Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.