AN0538: Analytic 0538
Disk enumeration via `diskutil list` or `system_profiler SPStorageDataType` run outside of user login or not associated with system inventory tools
Analyst context for executives and security teams
This analytic highlights a macOS behavior that can matter during early incident triage: disk enumeration using built-in commands such as `diskutil list` or `system_profiler SPStorageDataType` when it occurs outside a normal user login context or away from expected inventory tooling. For leaders, the value is not that disk listing is inherently malicious; it is that unexpected storage discovery can indicate preparation for follow-on actions and may expose gaps in macOS endpoint visibility.
Executive priority
Prioritize this as a coverage-validation item for macOS environments, especially where business operations depend on managed Apple endpoints. Security leaders should ask whether the SOC can distinguish legitimate IT asset inventory from unusual disk enumeration, whether endpoint telemetry is retained for incident response, and whether audit evidence exists showing which administrative or inventory tools are approved to run these commands.
Technical view
For SOC and detection teams, validate visibility into macOS process execution for `diskutil list` and `system_profiler SPStorageDataType`, including parent process, user/session context, command line, host identity, and whether the process is tied to approved inventory tooling. Because the ATT&CK object provides no formal detection logic and no tactic mapping, treat this as a behavior-specific analytic requiring local baselining rather than a standalone alert of compromise.
Likely telemetry
- macOS process execution events
- Command-line arguments for `diskutil` and `system_profiler`
- Parent process and process lineage
- User identity and login/session context
- Endpoint or device inventory tool activity logs
Detection direction
- Baseline legitimate macOS inventory and support workflows that call `diskutil list` or `system_profiler SPStorageDataType`.
- Alert or hunt for these commands when launched outside an interactive user login or outside approved system inventory tooling, as described by the analytic.
- Tune false positives from IT administration, MDM, asset management, troubleshooting, and compliance inventory activity.
- Correlate with process lineage and user context before escalation; the command itself is commonly legitimate.
- Validate that macOS endpoint telemetry captures command line and parent-child process relationships, since the official object does not provide detection implementation details.
Mitigation priorities
- Define and document approved macOS inventory tools and administrative workflows that may enumerate storage.
- Ensure managed macOS endpoints produce sufficient process and command-line telemetry for SOC and IR review.
- Use access management and administrative control processes to limit who can run broad system discovery outside approved tooling.
- Maintain asset and inventory records so defenders can quickly identify expected versus unusual storage enumeration activity.
- Incorporate this analytic into macOS detection engineering tests and incident response playbooks as a contextual signal, not a standalone determination of compromise.
Analyst notes and limits
This is a detection analytic object, not a technique object. Its practical value is in helping teams validate macOS endpoint telemetry and distinguish expected inventory behavior from unusual disk enumeration. No relationship context, tactic mapping, or official detection logic was supplied, so local baselining is essential.
The supplied ATT&CK fields are sparse: platform is limited to macOS; tactics are not specified; no relationships are supplied; and official detection content is not provided. This take should not be interpreted as evidence of active exploitation, attribution, impact, or guaranteed detection coverage.
Analytic 0538
Disk enumeration via `diskutil list` or `system_profiler SPStorageDataType` run outside of user login or not associated with system inventory tools
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 674754e68cbe… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0538Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.