AN0231: Analytic 0231
Modification of user desktop backgrounds, login screen messages, or system banners by adversaries using admin privileges or script execution. May coincide with tampering in /Library/Desktop Pictures/ or use of AppleScript.
Analyst context for executives and security teams
This analytic highlights a macOS behavior where an adversary with administrative privileges or script execution changes desktop backgrounds, login screen messages, or system banners. For leaders, the significance is not the wallpaper itself; it is that visible system messaging changes can indicate unauthorized administrative control, user coercion, incident signaling, or tampering that may affect trust in managed endpoints.
Executive priority
Treat this as a validation point for macOS endpoint governance and incident readiness. Security leaders should ask whether the organization can prove who changed managed desktop, login, or banner content; whether such changes are approved through configuration management; and whether SOC teams would notice unexpected changes on executive, privileged-user, or shared operational Macs. This can support audit evidence around administrative control, endpoint integrity, and change management.
Technical view
For SOC and IR teams, the practical task is to validate macOS telemetry around changes to desktop backgrounds, login screen messages, system banners, and relevant file locations such as /Library/Desktop Pictures/. Because the ATT&CK object provides no official detection logic and no tactic mapping, detection engineering should focus on local baselining: approved administrative tools and scripts versus unexpected script execution, AppleScript activity, or file/configuration changes tied to these visible UI elements.
Likely telemetry
- macOS endpoint file modification events for /Library/Desktop Pictures/ and related desktop background assets
- Process execution telemetry for scripts or administrative tools modifying user interface settings
- AppleScript execution or automation telemetry where available
- Endpoint management or configuration management change records
- Authentication and privilege-use logs showing administrative context for the change
Detection direction
- Baseline legitimate macOS management workflows that set desktop backgrounds, login messages, or banners so alerts can focus on unmanaged or unexpected changes.
- Correlate UI/banner modifications with process ancestry, user identity, administrative privilege use, and recent script execution.
- Tune carefully for authorized IT, compliance, branding, or device-management updates, which may otherwise generate false positives.
- Prioritize higher-severity review when changes occur outside maintenance windows, on sensitive endpoints, or through AppleScript or unfamiliar scripts.
- Account for the ATT&CK limitation that no official detection text or relationship context is supplied; local telemetry and change-control evidence are required to make this actionable.
Mitigation priorities
- Use centralized macOS configuration management for approved desktop, login, and banner settings.
- Restrict administrative privileges and monitor privileged changes on macOS endpoints.
- Maintain change-control records for authorized UI/banner modifications so SOC teams can distinguish expected from suspicious activity.
- Ensure endpoint logging captures file modifications, script execution, process ancestry, and administrative user context.
- Review AppleScript and script execution controls where they are relevant to managed macOS environments.
Analyst notes and limits
This object is a detection analytic, not a technique description, and it is scoped to macOS. Its value is as a control-validation and detection-engineering prompt: can the organization observe and explain visible macOS UI or banner changes, especially when made through administrative or scripted activity?
The supplied ATT&CK fields include no official detection logic, no tactics, and no relationship context. This take should therefore be treated as guidance for local validation rather than a claim of ATT&CK-provided detection coverage or adversary prevalence.
Analytic 0231
Modification of user desktop backgrounds, login screen messages, or system banners by adversaries using admin privileges or script execution. May coincide with tampering in /Library/Desktop Pictures/ or use of AppleScript.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 813d2a292342… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0231Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.