AN1176: Analytic 1176
Monitor pmset command executions altering sleep/hibernate/standby parameters. Unexpected modifications to /Library/Preferences/SystemConfiguration/com.apple.PowerManagement.plist or similar files should be correlated with process activity.
Analyst context for executives and security teams
This analytic matters because unauthorized changes to macOS power-management settings can reduce endpoint availability, interfere with expected sleep or hibernation behavior, and create gaps in security monitoring assumptions. For leaders, the practical question is whether managed macOS devices generate enough command and file-change evidence to explain who changed power settings, from what process, and whether the change was expected.
Executive priority
Treat this as a macOS endpoint governance and resilience validation point. Security and IT leaders should confirm that power-management changes on managed Macs are auditable, attributable, and reviewable during incident response or compliance checks. Priority is higher in environments where macOS systems support privileged users, always-on operational workflows, or regulated endpoint configuration baselines.
Technical view
For SOC, detection engineering, and IR teams, validate monitoring for pmset command executions that alter sleep, hibernate, standby, or related parameters. Correlate those events with unexpected modifications to /Library/Preferences/SystemConfiguration/com.apple.PowerManagement.plist or similar power-management configuration files. Because the ATT&CK object does not specify tactics or a full detection rule, teams should build local logic around known administrative tools, approved management activity, parent process context, user identity, and timing of configuration changes.
Likely telemetry
- macOS process execution telemetry for pmset
- Command-line arguments showing sleep, hibernate, standby, or related power setting changes
- File modification telemetry for /Library/Preferences/SystemConfiguration/com.apple.PowerManagement.plist
- File modification telemetry for similar macOS power-management preference files
- User, parent process, and device context associated with the process and file changes
Detection direction
- Validate that macOS process telemetry captures pmset executions with command-line arguments, not only process names.
- Alert or review when pmset changes sleep, hibernate, standby, or related parameters outside approved administrative workflows.
- Correlate pmset activity with modifications to com.apple.PowerManagement.plist or similar files to improve confidence.
- Tune for expected activity from endpoint management, IT administration, or policy enforcement tools to reduce false positives.
- Identify blind spots where file integrity monitoring, endpoint telemetry, or command-line logging is absent on macOS systems.
Mitigation priorities
- Establish approved baselines for macOS power-management settings on managed systems.
- Restrict or govern who can make administrative power-management changes.
- Use endpoint management change records to document authorized configuration updates.
- Ensure endpoint telemetry captures process execution and relevant preference-file modification events.
- Review exceptions for high-value macOS assets where power-state changes could affect monitoring, availability, or operational continuity.
Analyst notes and limits
This object is a detection analytic, not a technique description. Its value is in validating whether defenders can observe and explain macOS power-management changes involving pmset and related preference files. Local baselines are essential because legitimate administration may produce similar events.
The supplied ATT&CK fields provide no tactic, relationship context, procedure examples, mitigation text, or official detection logic beyond the description. This take therefore avoids attribution, impact claims, and assumptions about adversary intent or active exploitation.
Analytic 1176
Monitor pmset command executions altering sleep/hibernate/standby parameters. Unexpected modifications to /Library/Preferences/SystemConfiguration/com.apple.PowerManagement.plist or similar files should be correlated with process activity.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 59fe3a4e6e4c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1176Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.