AN0911: Analytic 0911
Execution of virtualization binaries (Parallels, VMware Fusion, VirtualBox) with arguments to hide UI. File monitoring for plist modifications indicating hidden virtualization behavior. Defender perspective: tracking process lineage and file modifications in system configs.
Analyst context for executives and security teams
This analytic is about finding macOS virtualization tools such as Parallels, VMware Fusion, or VirtualBox being run in a hidden or non-obvious way, along with plist changes that may support that behavior. For leaders, the value is not just detecting a tool launch; it is knowing whether endpoint monitoring can see virtualized activity that might otherwise fall outside normal user-visible workflows and complicate investigation scope.
Executive priority
Prioritize this where macOS endpoints are used in sensitive business functions, software development, administration, or regulated environments. The control question is whether virtualization use is inventoried, approved, and observable. This can support incident response readiness, audit evidence for endpoint governance, and decisions about whether hidden or unmanaged virtual machines create unacceptable operational or compliance risk.
Technical view
For SOC and IR teams, validate visibility into macOS process lineage for virtualization binaries and their command-line arguments, especially executions that indicate hidden UI behavior. Correlate those events with file monitoring for plist modifications in system configuration locations. Because no ATT&CK tactic or related technique context is supplied, treat this as a detection analytic requiring local baselining rather than a standalone determination of malicious activity.
Likely telemetry
- macOS process creation events for Parallels, VMware Fusion, and VirtualBox binaries
- Command-line argument telemetry for virtualization process launches
- Parent-child process lineage for virtualization binaries
- File integrity or endpoint file monitoring for plist modifications
- System configuration change records involving virtualization-related plist files
Detection direction
- Confirm that macOS endpoint telemetry captures full process command lines and parent process context for virtualization tools.
- Baseline legitimate virtualization usage by developers, IT administrators, testing teams, or other approved users to reduce false positives.
- Alert or triage on virtualization binaries launched with arguments associated with hidden UI behavior, especially when paired with recent plist modifications.
- Correlate process execution and plist modification timing rather than relying on either signal alone.
- Identify blind spots where command-line capture, plist monitoring, or coverage of unmanaged macOS hosts is incomplete.
Mitigation priorities
- Maintain an approved inventory of macOS virtualization software and authorized users or business use cases.
- Use endpoint configuration management to limit or flag unauthorized virtualization installations and configuration changes where appropriate.
- Ensure plist and process telemetry needed by this analytic is enabled and retained for investigation.
- Document expected virtualization behavior for audit and incident response teams so anomalous hidden execution can be assessed quickly.
- Review exceptions periodically, especially for high-risk systems or users with administrative access.
Analyst notes and limits
The supplied object is a detection analytic for macOS and does not include tactics, related techniques, relationships, or a separate official detection procedure. The most defensible use is as a validation checklist for visibility into hidden virtualization execution and related plist changes, supported by local baselines and asset context.
This take is limited to the official fields provided. It does not establish malicious intent, active exploitation, actor attribution, impact, or guaranteed detection coverage. Local environment evidence is required to distinguish approved headless or background virtualization workflows from suspicious behavior.
Analytic 0911
Execution of virtualization binaries (Parallels, VMware Fusion, VirtualBox) with arguments to hide UI. File monitoring for plist modifications indicating hidden virtualization behavior. Defender perspective: tracking process lineage and file modifications in system configs.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6bf0f6105d33… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0911Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.