AN0313: Analytic 0313

AN0313 is a macOS-focused detection analytic for spotting changes to, and execution of, login hook scripts or LaunchAgents/LaunchDaemons used for persistence. For leaders, the value is not the analytic name itself; it is whether the organization can reliably see when macOS systems are configured to re-run unwanted code after login or restart.

Executive priority

Prioritize this as a macOS persistence visibility question. Security leaders should ask whether managed detection, endpoint logging, and IR playbooks can prove when LaunchAgents, LaunchDaemons, or login hook scripts are modified and later executed. This matters for operational resilience because weak persistence monitoring can allow an intrusion to survive reboots, user logouts, or partial cleanup efforts.

Technical view

SOC and detection teams should validate telemetry for macOS file/configuration modification and process execution related to login hook scripts and LaunchAgents/LaunchDaemons. Because ATT&CK provides no specific detection logic or relationship context for this analytic, teams should treat AN0313 as a coverage requirement: confirm collection, build baselines for expected administrative or software-management activity, and tune for suspicious modification followed by execution.

Likely telemetry

macOS endpoint file modification events for login hook scripts and LaunchAgents/LaunchDaemons
macOS process execution events showing scripts, agents, or daemons launching
Endpoint security or EDR alerts tied to persistence-related configuration changes
Administrative change records or device-management activity for legitimate macOS configuration updates
Host inventory/baseline data showing expected LaunchAgents/LaunchDaemons and authorized changes

Detection direction

Validate that macOS endpoints actually report both modification and execution events, not only one of the two.
Correlate configuration or script changes with subsequent execution to improve fidelity.
Baseline legitimate software installation, update, and device-management behavior to reduce false positives.
Review blind spots on unmanaged, intermittently connected, or lightly monitored macOS systems.
Because no official detection logic is supplied, test local analytics against known-good administrative activity and incident-response scenarios before relying on alert counts as coverage evidence.

Mitigation priorities

Limit who can modify persistence-related macOS configuration and script locations through appropriate administrative controls.
Maintain approved baselines for LaunchAgents, LaunchDaemons, and login hook usage where applicable.
Use change control and endpoint management records to distinguish authorized configuration changes from suspicious ones.
Ensure incident response procedures include removal validation and reboot/logout persistence checks on macOS hosts.
Document telemetry retention and alert review as compliance evidence where macOS endpoint monitoring is in scope.

Analyst notes and limits

This Glexia take is based only on the supplied ATT&CK analytic object. The object identifies macOS as the platform and describes monitoring for modification and execution of login hook scripts or LaunchAgents/LaunchDaemons used for persistence. No tactics, relationships, aliases, or official detection logic were supplied.

ATT&CK did not provide detection pseudocode, data-source mappings, related techniques, adversary relationships, or mitigation text for this analytic. Local macOS fleet design, endpoint tooling, management workflows, and logging depth are required to determine actual coverage and alert quality.

Official MITRE ATT&CK definition

Analytic 0313

Monitoring for modification and execution of login hook scripts or LaunchAgents/LaunchDaemons used for persistence.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 7d8c0d25eb09318f...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`7d8c0d25eb09…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0313
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams