Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0256: Analytic 0256

Adversary uses `dscl`, `who`, or environment variables like `$USER` to identify accounts or sessions via Terminal or malicious LaunchAgents.

EnterpriseAN0256AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about recognizing when macOS systems are queried to identify local users or active sessions, using tools or variables such as `dscl`, `who`, and `$USER`, including activity launched from Terminal or LaunchAgents. For leaders, the value is not the command names themselves; it is whether the organization can see early account and session discovery on macOS before it supports follow-on access, lateral movement planning, or persistence decisions.

Executive priority

Treat this as a macOS visibility and readiness check. Security leaders should ask whether managed detection, endpoint logging, and incident response processes can distinguish normal administration from suspicious account/session discovery, especially when activity originates from LaunchAgents rather than an interactive user session. This can support control prioritization for macOS endpoint telemetry, identity context, and audit evidence around monitoring of local account discovery behavior.

Technical view

ATT&CK supplies a macOS detection analytic for account/session identification using `dscl`, `who`, or environment variables such as `$USER`, executed through Terminal or malicious LaunchAgents. Because no official detection logic is provided, SOC and detection engineering teams should validate whether endpoint telemetry captures process execution, parent-child process context, command-line arguments where available, user/session context, and LaunchAgent execution metadata. Tuning should separate expected administrative or helpdesk use from unusual execution paths, unexpected parent processes, repeated enumeration, or activity tied to non-interactive persistence mechanisms.

Likely telemetry

  • macOS process execution events for `dscl`, `who`, shells, and Terminal-spawned processes
  • Command-line or process argument telemetry where collected
  • User and session context associated with process execution
  • Environment variable usage evidence where available from endpoint telemetry or shell/process context
  • LaunchAgent configuration and execution events

Detection direction

  • Confirm that macOS endpoints actually report process execution and parent process lineage for Terminal and LaunchAgent-launched activity.
  • Create or tune detections for account/session discovery commands such as `dscl` and `who`, with context for the executing user, parent process, frequency, and host role.
  • Prioritize suspicious context over command presence alone, since these utilities can be used legitimately by administrators and scripts.
  • Look for discovery behavior initiated by LaunchAgents or other non-interactive contexts, as this may be more concerning than a known administrator using Terminal.
  • Document blind spots where command-line arguments, environment variable access, LaunchAgent execution, or user/session attribution are not retained.

Mitigation priorities

  • Establish baseline visibility for macOS process, user/session, and LaunchAgent activity before relying on alerting.
  • Limit unnecessary local administrative access and review approved scripts or management tooling that performs account/session enumeration.
  • Use endpoint and identity governance processes to maintain accurate ownership of macOS devices, local accounts, and administrative users.
  • Define incident response triage steps for macOS account discovery events, including review of parent process, LaunchAgent provenance, user legitimacy, and nearby activity.
  • Retain telemetry long enough to support audit evidence and post-incident reconstruction of discovery activity.
Analyst notes and limits

This object is a detection analytic rather than a technique entry. The supplied fields identify macOS as the platform and describe account/session identification using `dscl`, `who`, `$USER`, Terminal, and LaunchAgents. No tactics, relationships, aliases, or official detection logic were supplied, so the take focuses on defensive validation and telemetry requirements rather than a specific detection rule.

The ATT&CK object provides a short description only and no official detection text or relationship context. Local baselines are required to determine what is normal administrative activity versus suspicious discovery. No active exploitation, attribution, impact, or guaranteed detection coverage can be inferred from the supplied data.

Official MITRE ATT&CK definition

Analytic 0256

Adversary uses `dscl`, `who`, or environment variables like `$USER` to identify accounts or sessions via Terminal or malicious LaunchAgents.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9ce0c925da7dfcfd...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9ce0c925da7d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0256
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use