AN1102: Analytic 1102
Adversary runs 'system_profiler SPApplicationsDataType' or queries plist files to enumerate software via Terminal or scripts.
Analyst context for executives and security teams
This analytic is about a macOS host behavior where software inventory is enumerated through Terminal or scripts, specifically by running system_profiler for application data or querying plist files. For leaders, the value is not the command itself; it is whether the organization can distinguish legitimate administration and inventory activity from suspicious local reconnaissance on managed Macs.
Executive priority
Prioritize this as a macOS visibility and incident-triage question. If Macs are used by executives, developers, administrators, or other high-value users, software enumeration can help an intruder understand installed tools and choose next actions. Security leaders should ask whether endpoint telemetry, logging retention, and SOC playbooks can show who ran software-discovery commands, from what parent process, and whether the activity aligns with approved IT management workflows.
Technical view
SOC and detection teams should validate macOS coverage for command execution involving system_profiler SPApplicationsDataType and scripted or terminal-based access to plist-based software inventory. Because the official object provides no detection logic and no tactic mapping, treat this as a focused analytic candidate rather than a complete detection. Baseline expected activity from IT inventory, MDM, EDR, helpdesk scripts, and administrator shells before alerting on the behavior broadly.
Likely telemetry
- macOS process execution telemetry, including command line arguments
- Parent-child process context for Terminal, shells, scripts, and management agents
- User account and device identity associated with the command
- File access or query activity involving application-related plist files where available
- Endpoint management or IT inventory job logs for approved software enumeration
Detection direction
- Validate that command-line capture includes system_profiler arguments, especially SPApplicationsDataType.
- Tune for context: Terminal or script execution by an unusual user, unusual parent process, or outside expected management windows may be more useful than the command alone.
- Suppress or separately classify known-good MDM, IT inventory, compliance, and helpdesk workflows to reduce false positives.
- Correlate with other suspicious macOS activity if available, because the supplied analytic has no ATT&CK tactic mapping or relationship context.
- Check blind spots on unmanaged Macs, privacy-restricted logging, short retention windows, and telemetry that records process names but not arguments.
Mitigation priorities
- Establish and document approved macOS software-inventory mechanisms so defenders can separate authorized administration from suspicious discovery.
- Ensure managed Macs collect process execution and command-line telemetry with appropriate retention for investigations.
- Limit routine administrative access and script execution paths to approved users and management tooling.
- Review endpoint management coverage for high-value macOS users and systems.
- Use this analytic as compliance and readiness evidence only after confirming the organization can collect and review the relevant telemetry.
Analyst notes and limits
This is a detection analytic object, not a full ATT&CK technique entry. The only supported platform is macOS, and the official description is limited to software enumeration using system_profiler SPApplicationsDataType or plist queries via Terminal or scripts. No relationships, aliases, labels, tactics, or official detection text were supplied.
No active exploitation, attribution, impact, or detection efficacy can be inferred from the supplied fields. Local baselining is required because the same behavior can be normal for IT administration, endpoint management, software audits, or troubleshooting.
Analytic 1102
Adversary runs 'system_profiler SPApplicationsDataType' or queries plist files to enumerate software via Terminal or scripts.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6a3354531b8f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1102Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.