AN1208: Analytic 1208

Detects creation or modification of user-level Launch Agents in monitored directories using `.plist` files with suspicious `ProgramArguments` or `RunAtLoad` keys. Correlates file write activity with execution of `launchctl` or unsigned binaries invoked at login.

EnterpriseAN1208AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic is about macOS persistence risk: user-level Launch Agents can cause programs to run when a user logs in. For business leaders, the practical issue is whether the organization can see changes to login-time execution paths on macOS endpoints before they become an incident response blind spot.

Executive priority

Prioritize this where macOS systems support privileged users, developers, administrators, or regulated workflows. The decision value is validating whether endpoint monitoring can prove who created or changed Launch Agent `.plist` files, what those files execute, and whether execution occurred through `launchctl` or unsigned binaries at login. That evidence supports incident triage, control assurance, and audit readiness.

Technical view

For SOC and detection teams, validate monitoring of user-level Launch Agent directories on macOS for `.plist` creation or modification. Review the contents of those files for suspicious `ProgramArguments` or `RunAtLoad` keys, then correlate the file write with `launchctl` execution or unsigned binaries invoked at login. Because no ATT&CK tactic or relationship context is supplied, treat this as a focused macOS detection analytic rather than a complete behavior chain.

Likely telemetry

macOS file creation and modification events for user-level Launch Agent directories
`.plist` file content or metadata sufficient to inspect `ProgramArguments` and `RunAtLoad` keys
Process execution telemetry for `launchctl`
Code-signing or binary trust status for executed binaries
User login/session context to identify binaries invoked at login

Detection direction

Confirm endpoint telemetry captures both the Launch Agent `.plist` write and the later execution path; either signal alone may be weak.
Tune around legitimate software that commonly installs user Launch Agents to reduce false positives.
Prioritize alerts where suspicious `.plist` keys, recent file writes, `launchctl` activity, and unsigned login-time execution appear together.
Check for blind spots on unmanaged macOS hosts or endpoints where file-content inspection, process telemetry, or code-signing metadata is unavailable.

Mitigation priorities

Inventory and monitor authorized user-level Launch Agents on macOS endpoints.
Restrict or review software installation and login-item changes where business processes allow.
Ensure endpoint controls collect file, process, login, and code-signing evidence needed for this analytic.
Use incident response playbooks to preserve the `.plist`, associated binary, user context, and execution timeline when this activity is observed.

Analyst notes and limits

The object is an ATT&CK detection analytic for macOS. It provides a concise description but no separate official detection text, no tactics, and no relationship context. Local baselining is important because legitimate macOS applications may create Launch Agents.

This take is limited to the supplied STIX fields and external reference. It does not assert active exploitation, attribution, impact, or guaranteed detection coverage. Effectiveness depends on local macOS telemetry quality and the ability to inspect `.plist` contents and execution metadata.

Official MITRE ATT&CK definition

Analytic 1208

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 38e59ef958db5a4f...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`38e59ef958db…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1208
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use