AN0561: Analytic 0561
Execution of `ifconfig`, `networksetup`, or `system_profiler` to query IP/MAC/interface configuration and status.
Analyst context for executives and security teams
This analytic is about spotting macOS commands that collect local network configuration, such as IP address, MAC address, interface state, and system network details. For leaders, the value is not that these commands are inherently malicious—they are common admin and troubleshooting tools—but that unexpected use can help establish early context during an investigation into host discovery, environment mapping, or post-compromise reconnaissance on macOS systems.
Executive priority
Prioritize this as a coverage validation item for macOS visibility rather than as a standalone high-confidence alert. Security leaders should ask whether SOC and incident response teams can reliably see command execution on managed Macs, distinguish normal IT activity from suspicious use, and preserve enough endpoint evidence to support incident scoping and audit questions. This is especially relevant where macOS systems are used by privileged users, developers, executives, or teams with access to sensitive networks.
Technical view
Validate whether endpoint telemetry captures execution of `ifconfig`, `networksetup`, and `system_profiler` on macOS, including command line, parent process, user, host, timestamp, and process ancestry. Because ATT&CK provides no official detection logic and no relationship context for this analytic, treat matches as enrichment or low-to-medium severity triage signals unless correlated with other suspicious activity. Useful pivots include unusual parent processes, execution by non-admin users or unexpected service accounts, repeated discovery activity, execution from scripts or temporary paths, and proximity to other endpoint or identity events.
Likely telemetry
- macOS process execution events
- Command-line arguments for process starts
- Parent/child process relationships
- User and host context
- Endpoint detection and response telemetry from macOS systems
Detection direction
- Confirm that macOS process telemetry includes the three named utilities: `ifconfig`, `networksetup`, and `system_profiler`.
- Tune detections around context, not command name alone, because these utilities are commonly used for legitimate administration and troubleshooting.
- Baseline expected IT management tools, help desk workflows, and developer activity that may invoke these commands.
- Increase analytic value by correlating with other suspicious process execution, scripting, credential, persistence, or network events when available.
- Review blind spots such as unmanaged Macs, limited command-line capture, privacy-restricted endpoint logging, short retention, or telemetry gaps for shell-spawned commands.
Mitigation priorities
- Ensure managed macOS endpoints generate and retain process execution telemetry suitable for SOC and IR use.
- Define approved administrative tooling and expected troubleshooting patterns so detections can suppress known-good activity without hiding unusual behavior.
- Apply least-privilege and device management controls so only appropriate users and tools perform administrative discovery at scale.
- Document response playbooks for macOS reconnaissance-like activity, including host triage, user validation, process ancestry review, and correlation with identity and network logs.
- Use this analytic as part of a broader macOS detection strategy rather than a standalone control.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, AN0561, for macOS execution of `ifconfig`, `networksetup`, or `system_profiler` to query IP, MAC, interface configuration, and status. No tactics, relationships, aliases, or official detection logic were supplied. The strongest defensive use is to validate telemetry and correlation quality around macOS command execution.
This take is limited to the supplied STIX fields and the single MITRE external reference. It does not establish maliciousness, active exploitation, attribution, impact, or guaranteed detection. Local baselines are required because the named commands are normal administrative utilities and may produce significant false positives without context.
Analytic 0561
Execution of `ifconfig`, `networksetup`, or `system_profiler` to query IP/MAC/interface configuration and status.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | bf8bdcedb634… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0561Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.