AN0682: Analytic 0682
Detection of persistent login hooks configured via defaults or plist modifications that result in execution of scripts or binaries at user login, breaking expected parent-child process lineage.
Analyst context for executives and security teams
AN0682 is a macOS detection analytic focused on persistent login hooks configured through defaults or plist changes. The business significance is persistence: if a script or binary runs automatically when a user logs in, an intrusion can survive reboots and user sessions while blending into normal login activity. For leaders, this is a useful validation point for whether macOS endpoint monitoring can distinguish expected login behavior from unusual auto-start execution.
Executive priority
Prioritize this analytic where macOS systems support privileged users, developers, executives, or business-critical operations. The decision value is not that this object proves compromise, but that it highlights a common resilience question: can the organization produce evidence of login-time persistence changes and investigate unexpected process lineage quickly enough to support incident response, audit, and containment decisions?
Technical view
SOC and detection engineering teams should validate visibility into macOS defaults and plist modifications associated with login-time execution, plus process creation telemetry that shows parent-child relationships at user login. Because the official object does not provide a complete detection rule or tactic mapping, teams should treat AN0682 as a detection objective: identify scripts or binaries launched from persistent login hooks and review cases where process lineage differs from the expected login/session chain.
Likely telemetry
- macOS process creation events with parent and child process lineage
- File or configuration change events for plist-based login persistence locations
- Command or configuration activity involving defaults modifications
- User login/session events to establish timing context
- Endpoint security or EDR telemetry showing script or binary execution at login
Detection direction
- Baseline normal macOS login-time process trees for managed endpoints and high-value user groups.
- Alert or hunt for scripts and binaries launched during user login where the parent-child lineage is unexpected for the environment.
- Correlate configuration changes to defaults or plist files with subsequent login-time execution.
- Tune carefully for legitimate enterprise management tools, user-approved login items, and administrative scripts that may create similar telemetry.
- Because no official detection logic is supplied, validate locally that required telemetry is collected, retained, and queryable before treating this as covered.
Mitigation priorities
- Maintain an inventory of approved macOS login-time execution mechanisms and administrative scripts.
- Restrict and monitor unauthorized modification of plist-based or defaults-based login persistence configurations where operationally feasible.
- Use endpoint management and security tooling to review unexpected auto-start entries on macOS systems.
- Ensure incident response playbooks include collection of login persistence configuration, recent configuration changes, and process lineage evidence.
- Prioritize higher scrutiny for macOS endpoints tied to privileged access or critical business workflows.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique entry, and no relationship context or official detection logic was provided. The strongest supported interpretation is a macOS persistence detection objective centered on login hooks, defaults/plist modification, and broken or unexpected parent-child process lineage.
Tactics, related techniques, procedure examples, mitigations, and a concrete detection query are not supplied. This take should not be read as evidence of active exploitation, adversary attribution, or confirmed detection coverage. Local macOS configuration standards and telemetry quality are required to determine applicability.
Analytic 0682
Detection of persistent login hooks configured via defaults or plist modifications that result in execution of scripts or binaries at user login, breaking expected parent-child process lineage.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ce34fc41f98a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0682Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.