AN0357: Analytic 0357
Adversary creates disguised launch daemons or apps with misleading names and bundle metadata (e.g., Info.plist values inconsistent with binary path or icon). Launch is correlated with user logon or persistence setup.
Analyst context for executives and security teams
AN0357 describes a macOS detection analytic focused on suspicious persistence camouflage: launch daemons or applications that use misleading names or bundle metadata, such as Info.plist values that do not line up with the binary path or icon, with launch activity correlated to user logon or persistence setup. For leaders, the value is not the specific analytic name; it is whether the organization can reliably spot macOS software that is trying to look legitimate while gaining repeat execution.
Executive priority
Prioritize this where macOS endpoints are material to business operations, privileged users, developers, executives, or regulated workflows. The business question is whether endpoint visibility and response processes can distinguish legitimate application management from disguised persistence. This supports operational resilience, incident scoping, and audit evidence around endpoint monitoring, but the supplied ATT&CK object does not provide tactics, relationships, or an official detection implementation.
Technical view
SOC and detection teams should validate coverage for macOS launch daemons and application bundle metadata, especially inconsistencies between Info.plist values, binary location, naming, and icon metadata. Correlate suspicious launch activity with user logon timing or observed persistence setup. Because no official detection logic is supplied, teams should treat AN0357 as a validation theme rather than a complete rule and test it against local macOS software baselines.
Likely telemetry
- macOS launch daemon or launch-related configuration data
- Application bundle metadata, including Info.plist values
- Executable path and file metadata for macOS applications or daemons
- Icon and bundle naming metadata where collected
- User logon or session start events
Detection direction
- Build or validate detections that compare declared bundle metadata against executable path, naming, and icon context for inconsistencies.
- Correlate suspicious launch daemon or application creation with subsequent execution at user logon or persistence setup time.
- Baseline legitimate enterprise macOS management tools and approved applications to reduce false positives from unusual but authorized packaging.
- Review whether telemetry preserves enough macOS bundle metadata; process-only logging may miss the misleading-name and Info.plist aspects described by the analytic.
- Use this analytic as macOS-specific coverage validation; no tactics or ATT&CK relationships were supplied to extend the scope beyond the stated behavior.
Mitigation priorities
- Maintain an inventory of approved macOS applications, launch daemons, and administrative tooling so disguised entries have a known-good baseline to compare against.
- Harden endpoint management processes for software installation and persistence-related configuration changes on macOS.
- Ensure SOC and IR playbooks include review of bundle metadata, launch configuration, binary path, and logon-correlated execution when investigating suspicious macOS persistence.
- Preserve endpoint telemetry needed for compliance and incident evidence, including file metadata, launch configuration changes, and process execution context.
Analyst notes and limits
This object is a detection analytic, not a technique. The supplied description points to disguised macOS launch daemons or apps with misleading names and bundle metadata, correlated with user logon or persistence setup. No relationship context, aliases, labels, tactic mapping, or official detection logic was supplied, so local engineering is required to convert the concept into deployable analytics.
Assessment is limited to the official STIX fields, the MITRE external reference, and the supplied description. There is no evidence here of active exploitation, attribution, prevalence, impact, or guaranteed detectability. Applicability is limited to macOS as supplied.
Analytic 0357
Adversary creates disguised launch daemons or apps with misleading names and bundle metadata (e.g., Info.plist values inconsistent with binary path or icon). Launch is correlated with user logon or persistence setup.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e83433f2c067… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0357Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.