AN1327: Analytic 1327
Discovery via launchctl commands, or process enumeration using `ps aux | grep com.apple.` to identify daemons and services.
Analyst context for executives and security teams
This analytic points to macOS service and daemon discovery: activity using launchctl commands or process enumeration such as ps output filtered for Apple service names. For leaders, the significance is not the command itself, but whether the organization can see when macOS hosts are being inventoried for services that may support follow-on decisions during an intrusion investigation.
Executive priority
Prioritize this as a macOS visibility and response-readiness question. Security leaders should ask whether managed endpoints, SOC workflows, and incident response evidence collection can distinguish normal administration or troubleshooting from unusual service discovery. This can support audit evidence for endpoint monitoring coverage and help avoid blind spots in environments where macOS systems support executives, developers, privileged users, or business-critical workflows.
Technical view
Validate telemetry for macOS process execution involving launchctl and process enumeration patterns consistent with ps aux combined with filtering for com.apple. Because no official detection logic or ATT&CK relationships are supplied, teams should treat this as a behavior to baseline and contextualize rather than a standalone high-confidence alert. Useful context includes user, host role, parent process, command line, execution time, remote management context, and whether the activity is new or rare for that endpoint.
Likely telemetry
- macOS process creation events
- Command-line arguments for launchctl, ps, and grep
- Parent-child process relationships
- User and session context
- Endpoint management or administrative tooling context
Detection direction
- Confirm that macOS endpoint telemetry captures full process command lines, not only process names.
- Baseline expected launchctl usage by administrators, endpoint management tools, and local system activity to reduce false positives.
- Look for unusual user, parent process, timing, or host-role context around launchctl and ps/grep service enumeration.
- Avoid treating ps aux | grep com.apple. as inherently malicious; use it as a discovery signal that needs correlation with surrounding activity.
- Document coverage gaps where macOS command-line telemetry is missing, truncated, delayed, or unavailable to the SOC.
Mitigation priorities
- Ensure macOS endpoint monitoring is deployed and configured to collect process execution and command-line evidence where permitted.
- Restrict and monitor administrative access to macOS systems based on least privilege and operational need.
- Maintain host role and ownership data so service-discovery activity can be interpreted in business context.
- Include macOS service-discovery evidence requirements in incident response collection procedures and detection engineering test plans.
- Use security awareness and administrative process controls to separate approved troubleshooting from unexplained enumeration activity.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for macOS and describes discovery through launchctl commands or ps-based process enumeration for com.apple services. No tactic, technique relationships, official detection logic, groups, software, or mitigations were supplied, so this take focuses on practical visibility validation and cautious SOC triage.
Assessment is limited to the official STIX fields, external reference, and absence of relationship context provided. It does not establish malicious intent, active exploitation, attribution, prevalence, or complete detection coverage. Local baselines and endpoint telemetry quality are required to determine operational priority.
Analytic 1327
Discovery via launchctl commands, or process enumeration using `ps aux | grep com.apple.` to identify daemons and services.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f09f29244795… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1327Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.