Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0432: Analytic 0432

Process/script execution of systemsetup -gettimezone, date, ioreg, or API usage (timeIntervalSinceNow, gettimeofday) followed by time-based scheduling (launchd plist modification) or sleep-based execution.

EnterpriseAN0432AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting macOS activity where a process or script checks system time or timezone information and then uses time-based scheduling or delayed execution. For leaders, the practical value is resilience: delayed or scheduled behavior can affect when suspicious code runs, when alerts fire, and how incident timelines are reconstructed. It is especially relevant where macOS endpoints are in scope for executive users, developers, administrators, or regulated business functions.

Executive priority

Treat this as a validation point for macOS endpoint visibility and incident readiness rather than a standalone risk signal. Security leaders should ask whether the organization can collect and retain enough macOS process, script, API, and launchd-related evidence to explain delayed execution during an investigation. This supports control prioritization for managed detection, endpoint logging, IR timeline reconstruction, and audit evidence around endpoint monitoring coverage.

Technical view

The supplied analytic focuses on macOS activity involving execution or API use for time discovery, including systemsetup -gettimezone, date, ioreg, timeIntervalSinceNow, or gettimeofday, followed by time-based scheduling such as launchd plist modification or sleep-based execution. SOC and detection teams should validate whether they can correlate time-query behavior with subsequent launchd persistence/scheduling changes or delayed execution in the same process tree, user context, host, and time window. Because no official detection logic or tactic mapping is provided, this should be implemented as a correlation hypothesis and tested against local macOS administrative, developer, and automation workflows.

Likely telemetry

  • macOS process execution telemetry for commands such as systemsetup, date, and ioreg
  • Script execution telemetry, including parent-child process context and command-line arguments where available
  • Endpoint telemetry or logs showing launchd plist creation or modification
  • File modification events for launchd-related plist locations where collected
  • Process timing and lineage data that can associate time queries with later scheduled or sleep-delayed execution

Detection direction

  • Validate that macOS endpoint telemetry includes command-line, parent process, user, host, and timestamp fields sufficient for correlation.
  • Correlate time or timezone discovery with launchd plist modification or delayed execution rather than alerting on time queries alone, which may be common and benign.
  • Tune against known administrative scripts, device management tooling, developer build processes, and legitimate scheduling workflows.
  • Review blind spots where API usage such as timeIntervalSinceNow or gettimeofday is not visible in standard process logs.
  • Use this analytic to test whether IR teams can reconstruct a sequence of time discovery followed by scheduling behavior on macOS systems.

Mitigation priorities

  • Prioritize reliable macOS endpoint logging and retention before relying on this analytic for operational detection.
  • Baseline legitimate launchd plist modification and scheduled execution activity for managed macOS fleets.
  • Restrict or monitor unauthorized changes to launchd-related configuration where feasible within endpoint management policy.
  • Ensure incident response playbooks include collection of process lineage, plist changes, user context, and relevant timestamps from macOS hosts.
  • Use findings from tuning to improve compliance evidence for endpoint monitoring and change visibility.
Analyst notes and limits

The object is a detection analytic, not a technique, and no relationship context or tactic mapping was supplied. Its value is mainly in validating macOS telemetry and correlation capability around time-aware execution and launchd-based scheduling. Local baselining is important because time queries and scheduled tasks can be legitimate.

Official detection content is not provided, and no ATT&CK relationships were supplied. The object only supports macOS coverage claims. It does not support conclusions about active exploitation, adversary attribution, impact, prevalence, or guaranteed detection effectiveness.

Official MITRE ATT&CK definition

Analytic 0432

Process/script execution of systemsetup -gettimezone, date, ioreg, or API usage (timeIntervalSinceNow, gettimeofday) followed by time-based scheduling (launchd plist modification) or sleep-based execution.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
baeac3158d75785d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle baeac3158d75…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0432
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use