Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0242: Analytic 0242

Defender detects execution of `mdfind`, `launchctl`, or GUI-based enumeration (e.g., `/Applications/Time Machine.app`) along with command-line usage of `find`, `grep`, or `system_profiler` to identify installed backup tools like Time Machine, Carbon Copy Cloner, or Backblaze. Often triggered from Terminal sessions or within post-exploitation scripts.

EnterpriseAN0242AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it looks for macOS activity that may reveal someone is inventorying backup software such as Time Machine, Carbon Copy Cloner, or Backblaze. For executives and security leaders, the decision value is resilience: if an intruder can identify backup tooling during post-exploitation activity, incident response teams should assume backup integrity, recovery paths, and ransomware-readiness need immediate validation.

Executive priority

Treat this as a business-continuity and incident-readiness signal for macOS environments. Security leaders should ask whether SOC monitoring can see backup-tool enumeration, whether IR playbooks include rapid validation of backup availability and integrity, and whether audit evidence exists showing that critical endpoints have recoverable, protected backups. This analytic is especially relevant where macOS systems support executive users, developers, creative operations, or other business functions where endpoint recovery time matters.

Technical view

AN0242 is scoped to macOS and focuses on detection of commands or GUI activity associated with discovering installed backup tools. The supplied behavior includes execution of `mdfind`, `launchctl`, GUI-based enumeration such as `/Applications/Time Machine.app`, and command-line use of `find`, `grep`, or `system_profiler`. SOC and detection engineering teams should validate whether endpoint telemetry captures process execution, command-line arguments, parent process context such as Terminal sessions, and script-driven execution. Because ATT&CK provides no separate detection text or relationship context here, local baselining is required to distinguish legitimate administration or user troubleshooting from suspicious enumeration during an incident.

Likely telemetry

  • macOS process execution events
  • Command-line arguments for `mdfind`, `launchctl`, `find`, `grep`, and `system_profiler`
  • Parent-child process context, especially Terminal-launched or script-launched activity
  • File or application access evidence involving backup-related paths such as `/Applications/Time Machine.app`
  • Endpoint security alerts or EDR telemetry from macOS hosts

Detection direction

  • Confirm that macOS endpoint logging captures both process names and full command-line arguments; process-only visibility may miss the backup-enumeration intent.
  • Tune for combinations of backup-related search terms and enumeration utilities rather than single commands alone, because tools like `find`, `grep`, and `system_profiler` have many legitimate uses.
  • Prioritize suspicious context: Terminal sessions outside normal admin workflows, post-exploitation script execution, unusual users, or activity on systems that do not normally administer backups.
  • Establish a local baseline for administrators, IT support, and backup-management processes to reduce false positives.
  • Correlate this analytic with broader incident evidence before escalating business impact, since the supplied ATT&CK object does not include attribution, impact, or active exploitation claims.

Mitigation priorities

  • Validate that critical macOS systems have current, restorable backups and that recovery procedures are tested.
  • Restrict and monitor administrative access used to inspect or manage backup tooling on macOS endpoints.
  • Ensure endpoint monitoring is deployed and configured to collect macOS command-line and process context needed for this analytic.
  • Document backup protection and recovery evidence for incident response and compliance readiness.
  • During an incident, if this behavior is observed, prioritize verification of backup integrity and recovery options before containment decisions that may affect evidence or restoration.
Analyst notes and limits

This is a detection analytic, not a technique record. The official description is specific to macOS enumeration of installed backup tools and mentions Terminal sessions or post-exploitation scripts as common triggering contexts. No ATT&CK relationships were supplied, so mapping to a specific tactic, technique, campaign, software, or group is not supported here.

Official detection guidance was not provided, tactics were not specified, and no relationship context was supplied. The take is therefore limited to the official description, platform, and external reference. Local environment baselines, endpoint telemetry quality, and backup architecture are required to determine detection value and response priority.

Official MITRE ATT&CK definition

Analytic 0242

Defender detects execution of `mdfind`, `launchctl`, or GUI-based enumeration (e.g., `/Applications/Time Machine.app`) along with command-line usage of `find`, `grep`, or `system_profiler` to identify installed backup tools like Time Machine, Carbon Copy Cloner, or Backblaze. Often triggered from Terminal sessions or within post-exploitation scripts.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
2592a65e5d8da242...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 2592a65e5d8d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0242
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use