AN1224: Analytic 1224
Detects execution patterns where a child process is detached from its original parent, often showing up under 'launchd' (PID 1) with no parent lineage. These breakages in the process tree are indicative of evasive techniques using `daemon()`, `fork()` or background execution flags.
Analyst context for executives and security teams
This analytic is about a macOS process-lineage break: a child process detaches from its original parent and appears under launchd (PID 1) or with missing parent context. For leaders, the practical issue is not the specific API call; it is whether the organization can still reconstruct execution history when malware, scripts, or legitimate tools run in ways that obscure parent-child relationships.
Executive priority
Prioritize this as a macOS visibility and incident-readiness question. If endpoint telemetry cannot preserve process lineage, SOC and IR teams may struggle to explain how suspicious activity started, what user or application initiated it, and whether containment should focus on an account, host, application, or broader fleet pattern. This also affects audit and compliance evidence where investigations depend on reliable endpoint event history.
Technical view
Validate macOS detections that identify processes re-parented to launchd (PID 1), processes with absent or broken parent lineage, and execution patterns consistent with daemonization, fork-based detachment, or background execution. Because ATT&CK provides no formal detection logic for AN1224, teams should treat this as an analytic design requirement: confirm whether endpoint data records process start time, PID, parent PID, executable path, command line where available, user context, and prior ancestry before the lineage break. Baseline expected macOS daemon and service behavior to avoid excessive false positives.
Likely telemetry
- macOS endpoint process creation events
- Process identifiers including PID and parent PID
- Process ancestry or lineage data where available
- launchd-related parentage observations, especially PID 1
- Executable path, process name, and command-line metadata where collected
Detection direction
- Test whether the SOC can identify processes that unexpectedly appear under launchd or have no usable parent lineage.
- Tune against normal macOS service, daemon, updater, and background task behavior to reduce false positives.
- Correlate lineage breaks with adjacent context such as unusual executable locations, unexpected user context, rare process names, or suspicious timing rather than alerting on re-parenting alone.
- Confirm whether endpoint tools retain enough historical ancestry to reconstruct the original parent before detachment.
- Document blind spots where privacy settings, sensor configuration, or limited command-line collection prevent reliable process-tree analysis.
Mitigation priorities
- Ensure macOS endpoint monitoring is enabled and configured to capture process creation and parent-child metadata.
- Establish baselines for legitimate launchd-managed processes and common background execution patterns.
- Use least-privilege and software control practices to reduce opportunities for untrusted binaries or scripts to run persistently or detached.
- Prepare IR playbooks that include process-lineage reconstruction and host scoping when parentage is missing or broken.
- Review telemetry retention so analysts can investigate the original execution chain after a lineage break is discovered.
Analyst notes and limits
AN1224 is a detection analytic, not a technique entry. The supplied object identifies macOS as the platform and describes detached child-process behavior involving launchd, daemon(), fork(), or background execution flags. No tactics, relationships, aliases, labels, or official detection logic were supplied, so this take focuses on defensive validation rather than threat attribution or a specific ATT&CK tactic.
This assessment is limited to the supplied ATT&CK fields and external reference. It does not establish active exploitation, adversary use, impact, or guaranteed detection. Local endpoint sensor capabilities, macOS fleet configuration, data retention, and normal daemon behavior must be reviewed before determining coverage or alert fidelity.
Analytic 1224
Detects execution patterns where a child process is detached from its original parent, often showing up under 'launchd' (PID 1) with no parent lineage. These breakages in the process tree are indicative of evasive techniques using `daemon()`, `fork()` or background execution flags.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e776a95c6017… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1224Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.