Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0306: Analytic 0306

Monitor for unexpected modifications of plist files in persistence or configuration directories (e.g., ~/Library/LaunchAgents, ~/Library/Preferences, /Library/LaunchDaemons). Detect when modifications are followed by execution of new or unexpected binaries. Track use of utilities such as defaults, plutil, or text editors making changes to Info.plist files. Correlate file modifications with subsequent process launches or service starts that reference the altered plist.

EnterpriseAN0306AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because macOS property list (plist) files can control application behavior, user preferences, and service launch behavior. Unexpected plist changes in LaunchAgents, LaunchDaemons, Preferences, or application Info.plist files can be an early signal that a system’s configuration or persistence paths have been altered. For leaders, the decision value is whether the organization can prove it sees meaningful macOS configuration changes and can connect them to later process execution or service starts.

Executive priority

Treat this as a macOS endpoint visibility and resilience question: do security teams collect enough file and process telemetry to explain suspicious configuration changes before they become an incident-response surprise? Priority should be higher in environments where macOS systems support executives, developers, administrators, or regulated workflows, because plist modification evidence can support incident scoping, audit inquiries, and control validation.

Technical view

Validate monitoring for unexpected plist modifications in macOS persistence or configuration locations such as ~/Library/LaunchAgents, ~/Library/Preferences, and /Library/LaunchDaemons. Correlate those file changes with subsequent launches of new or unexpected binaries, process starts, or service starts that reference the altered plist. Pay particular attention to plist edits made by utilities named in the ATT&CK object, including defaults, plutil, and text editors. Because no ATT&CK detection field or relationship context is supplied, tuning must be based on local baselines for legitimate software installation, user preference changes, admin activity, and endpoint management tooling.

Likely telemetry

  • macOS file modification events for plist files
  • File path and filename metadata for LaunchAgents, LaunchDaemons, Preferences, and Info.plist locations
  • Process creation events for defaults, plutil, text editors, launched binaries, and service-related processes
  • Parent-child process relationships around plist modification and later execution
  • Service start or launch events referencing modified plist files

Detection direction

  • Confirm that endpoint telemetry captures plist write activity in both user and system-level macOS configuration paths.
  • Correlate plist modifications with later process launches or service starts instead of alerting on every plist change in isolation.
  • Baseline expected changes from software updates, endpoint management tools, preference changes, and administrator activity to reduce false positives.
  • Prioritize cases where a newly modified plist references a new, rare, unsigned, or unexpected binary, if that metadata is available locally.
  • Review coverage gaps for user home directories, system LaunchDaemon paths, and application Info.plist files, since partial path coverage can create misleading confidence.

Mitigation priorities

  • Ensure macOS endpoint logging or EDR coverage includes relevant plist file modification and process execution telemetry.
  • Harden administrative change processes so legitimate plist changes from management tools, updates, and administrators are attributable and reviewable.
  • Restrict unnecessary write access to sensitive system-level configuration and service directories where operationally feasible.
  • Maintain baselines of approved launch agents, launch daemons, and expected configuration-management activity.
  • Use incident response playbooks that preserve modified plist files, referenced binaries, process history, user context, and service-start evidence for scoping.
Analyst notes and limits

The supplied object is a detection analytic for macOS only. It provides a useful behavior description but no official detection section, no tactic mapping, and no relationship context. The strongest operational use is as a coverage test: can the SOC connect plist modification events to later execution or service activity on macOS systems?

This take is limited to the supplied ATT&CK fields. It does not assert active exploitation, adversary attribution, business impact, or guaranteed detection. Local endpoint telemetry, software-management practices, and macOS fleet baselines are required to determine alert fidelity and control priority.

Official MITRE ATT&CK definition

Analytic 0306

Monitor for unexpected modifications of plist files in persistence or configuration directories (e.g., ~/Library/LaunchAgents, ~/Library/Preferences, /Library/LaunchDaemons). Detect when modifications are followed by execution of new or unexpected binaries. Track use of utilities such as defaults, plutil, or text editors making changes to Info.plist files. Correlate file modifications with subsequent process launches or service starts that reference the altered plist.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
3b0c62b1d4b8f8ed...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 3b0c62b1d4b8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0306
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use