AN0362: Analytic 0362

Modification of plist files to set apple.awt.UIElement or similar flags hiding app icons and windows, and dscl/command-line activity that suppresses visibility. Defender view: correlation of plist modifications with unexpected hidden user applications.

EnterpriseAN0362AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic matters because hidden macOS applications can reduce user and help-desk visibility during an incident. The supplied ATT&CK object focuses on plist changes such as apple.awt.UIElement or similar flags, plus command-line activity that suppresses application visibility. For leaders, the decision point is whether macOS endpoint logging and response processes can prove when user-facing applications are being intentionally hidden, especially where executive, developer, or privileged workstations are in scope.

Executive priority

Treat this as a macOS visibility and response-readiness check rather than a standalone high-confidence detection. Security leaders should ask whether managed detection, endpoint management, and incident response teams can collect and review plist modifications and relevant command-line activity, correlate them to expected software behavior, and preserve evidence for audit or investigation. The priority is highest in environments where macOS systems hold privileged access, source code, sensitive communications, or administrative cloud credentials.

Technical view

For SOC and IR teams, validate coverage for macOS plist file modification events involving application visibility-related keys such as apple.awt.UIElement or similar flags, and correlate those changes with command-line activity such as dscl or other local commands that may affect user or application visibility. Because the object provides no formal detection logic, tactics, or relationship context, teams should build environment-specific baselines for legitimate application packaging, management tooling, and software updates before alerting on unexpected hidden user applications.

Likely telemetry

macOS file modification telemetry for plist files
Endpoint process creation and command-line telemetry on macOS
User and application context for modified plist files
Endpoint management or software deployment logs that may explain legitimate plist changes
EDR or host audit records showing parent process, user, path, and timestamp around plist edits

Detection direction

Confirm that macOS endpoints actually report plist modifications with enough path, user, process, and timestamp detail to support triage.
Correlate plist changes involving UI-hiding keys with nearby command-line activity and the affected application identity.
Tune for known legitimate cases such as managed software deployment, application updates, and applications intentionally configured as background agents.
Prioritize unexpected hidden applications in user locations, privileged user sessions, or systems with sensitive access.
Because no official detection logic is provided, avoid treating a single plist key change as conclusive without local baseline and process context.

Mitigation priorities

Ensure macOS endpoint logging and EDR policies capture process creation, command-line arguments where appropriate, and file modification events for relevant plist locations.
Maintain endpoint management inventory so defenders can distinguish approved background agents from unexpected hidden user applications.
Restrict or monitor administrative changes on sensitive macOS systems according to least-privilege and change-management practices.
Include plist and command-line evidence collection in macOS incident response playbooks.
Use compliance or control reviews to verify that macOS logging, retention, and investigation procedures can support this type of visibility check.

Analyst notes and limits

The supplied ATT&CK object is a detection analytic for macOS focused on hiding application icons or windows through plist modification and related command-line activity. There are no supplied relationships, tactics, aliases, or official detection logic, so the strongest use is as a validation prompt for telemetry, baselining, and triage workflow rather than a complete rule.

This take is limited to the official STIX fields, external reference, and supplied relationship context. It does not establish adversary use, active exploitation, impact, or guaranteed detectability. Local application behavior, endpoint management practices, logging depth, and retention determine whether this analytic is actionable.

Official MITRE ATT&CK definition

Analytic 0362

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: cf1c8eb82012935d...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`cf1c8eb82012…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0362
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use