Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1355: Analytic 1355

Execution of system utilities like 'system_profiler' and 'ioreg' to enumerate hardware components or USB devices, particularly if followed by clipboard, file, or network activity.

EnterpriseAN1355AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about spotting macOS activity where built-in utilities such as system_profiler or ioreg are used to enumerate hardware components or USB devices, especially when that activity is followed by clipboard, file, or network behavior. For leaders, the value is not the command itself, but whether the organization can distinguish normal administrative inventory activity from behavior that may precede data handling, device reconnaissance, or movement of collected information.

Executive priority

Prioritize this as a macOS visibility and SOC-readiness question. Security leaders should ask whether endpoint monitoring can show when native macOS tools are used for hardware or USB discovery, and whether analysts can correlate that with subsequent clipboard, file, or network activity. This can support incident triage, audit evidence for endpoint monitoring coverage, and operational resilience where macOS devices are used by privileged staff, developers, executives, or regulated business functions.

Technical view

For SOC and detection engineering teams, validate telemetry for execution of macOS system utilities named in the analytic: system_profiler and ioreg. The analytic’s decision point is correlation: utility execution becomes more meaningful when followed by clipboard access, file activity, or network activity. Because no ATT&CK tactic or formal detection logic is supplied, teams should treat this as a detection concept to operationalize locally rather than a complete rule. Baseline expected administrative, IT support, MDM, and inventory-management use before alerting broadly.

Likely telemetry

  • macOS process execution events for system_profiler and ioreg
  • Command-line arguments for relevant process executions, where available
  • Parent and child process context for those utilities
  • Subsequent file creation, modification, or access events near the execution window
  • Clipboard-related telemetry, if collected and privacy-approved

Detection direction

  • Confirm that macOS endpoint telemetry captures native utility execution with enough process and command-line context to identify system_profiler and ioreg usage.
  • Tune detections around sequences: hardware or USB enumeration followed by clipboard, file, or network activity, rather than treating every execution as suspicious.
  • Build allowlists or baselines for known IT administration, inventory, troubleshooting, and device-management activity to reduce false positives.
  • Review visibility gaps for clipboard telemetry and local file activity, since those follow-on behaviors are specifically called out as important context.
  • Use host criticality and user role to prioritize triage, especially where macOS endpoints handle sensitive business data or privileged access.

Mitigation priorities

  • Establish reliable macOS endpoint logging and retention for process, file, and network activity before depending on this analytic.
  • Restrict unnecessary administrative access on macOS endpoints and review who can run or automate system inventory actions at scale.
  • Document approved IT support, asset inventory, and device-management workflows so SOC teams can separate expected use from unusual sequences.
  • For sensitive macOS populations, consider tighter monitoring and response playbooks for hardware or USB discovery followed by data staging or outbound network behavior.
  • Use findings from detection validation to improve compliance evidence around endpoint monitoring and incident response readiness.
Analyst notes and limits

This object is a detection analytic, not a technique description. The supplied ATT&CK fields identify macOS as the platform and describe execution of system_profiler and ioreg to enumerate hardware components or USB devices, with higher concern when followed by clipboard, file, or network activity. No relationships, tactics, aliases, labels, or official detection logic were supplied.

The source does not provide a complete detection rule, tactic mapping, relationship context, attribution, prevalence, or impact statement. Local baselining is required because the named utilities can be used legitimately for administration, troubleshooting, and asset inventory. Coverage depends on the organization’s macOS telemetry, privacy constraints, and ability to correlate process execution with follow-on activity.

Official MITRE ATT&CK definition

Analytic 1355

Execution of system utilities like 'system_profiler' and 'ioreg' to enumerate hardware components or USB devices, particularly if followed by clipboard, file, or network activity.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b8b13d5e410ff89d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b8b13d5e410f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1355
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use