AN0273: Analytic 0273
Processes that utilize AppleScript, `CGWindowListCopyWindowInfo`, or `NSRunningApplication` APIs to list active application windows and foreground processes.
Analyst context for executives and security teams
This analytic is about identifying macOS processes that enumerate active application windows or foreground processes using AppleScript, CGWindowListCopyWindowInfo, or NSRunningApplication APIs. For leaders, the value is visibility: this behavior can reveal when software is inspecting what users are running or viewing, which may matter for privacy, sensitive business workflows, and incident scoping on executive or high-value macOS endpoints.
Executive priority
Prioritize this as a macOS visibility and governance question rather than a standalone confirmed threat signal. Security leaders should ask whether the organization can see which processes are using window and foreground-application enumeration behaviors, whether that visibility covers managed macOS endpoints, and how such evidence would support incident response, compliance inquiries, or investigations involving sensitive user activity.
Technical view
SOC and detection teams should validate whether endpoint telemetry can identify macOS processes invoking AppleScript, CGWindowListCopyWindowInfo, or NSRunningApplication-related behavior to list active windows and foreground processes. Because no official detection logic or ATT&CK tactic is supplied, this should be treated as a behavioral analytic requiring local baselining. Expected benign sources may include productivity, accessibility, endpoint management, monitoring, and legitimate user-interface automation tools, so process identity, signing status, parent process, user context, and frequency are important for triage.
Likely telemetry
- macOS endpoint process execution telemetry
- Process parent-child relationships and command-line context where available
- AppleScript execution or automation-related events
- Endpoint telemetry showing use of window or foreground-application enumeration APIs
- Application identity, code-signing, notarization, and file path metadata
Detection direction
- Confirm that macOS telemetry can distinguish normal application inventory or UI automation from unusual processes listing active windows or foreground processes.
- Baseline expected software that uses AppleScript, CGWindowListCopyWindowInfo, or NSRunningApplication APIs in the environment before escalating alerts.
- Tune on context such as unsigned or newly observed binaries, unusual parent processes, unexpected user locations, or repeated enumeration activity.
- Account for blind spots where endpoint tools do not expose API-level behavior or AppleScript activity in sufficient detail.
- Because no official detection text or relationships are supplied, avoid treating this analytic as a complete detection without local validation and testing.
Mitigation priorities
- Maintain managed visibility on macOS endpoints, especially systems used by executives, developers, administrators, or users handling sensitive data.
- Review and govern software that requires automation, accessibility, or user-interface inspection capabilities.
- Use application control, software inventory, and code-signing policy where appropriate to reduce untrusted tools performing window or process enumeration.
- Ensure incident response playbooks can collect macOS process, application, user-session, and automation evidence when this behavior is observed.
- Document telemetry coverage and analytic limitations as compliance or audit evidence for macOS monitoring readiness.
Analyst notes and limits
AN0273 is a detection analytic for macOS focused on processes that list active application windows and foreground processes via AppleScript, CGWindowListCopyWindowInfo, or NSRunningApplication APIs. No tactics, relationships, or official detection procedure were supplied, so the main defensive value is to guide telemetry validation, baselining, and triage design rather than to assert a specific adversary behavior chain.
The supplied ATT&CK object is sparse: it provides platform and behavior description but no official detection logic, tactic mapping, related technique, relationship context, data sources, or mitigations. Local macOS telemetry, business-approved software inventory, and environmental baselines are required to determine severity and reduce false positives.
Analytic 0273
Processes that utilize AppleScript, `CGWindowListCopyWindowInfo`, or `NSRunningApplication` APIs to list active application windows and foreground processes.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7799002e81cf… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0273Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.