AN1386: Analytic 1386
Hidden files via 'chflags hidden' or Apple-specific attributes, LaunchAgents/LaunchDaemons placed in non-standard hidden directories. Defender view: detect command execution modifying file flags and unusual plist creation in hidden paths.
Analyst context for executives and security teams
This analytic is about macOS persistence or concealment risk where files are hidden with Apple file attributes or where LaunchAgents/LaunchDaemons appear in unusual hidden directories. For leaders, the practical issue is not the hiding command itself; it is whether the organization can prove visibility into macOS file-attribute changes and suspicious plist creation paths before an investigation depends on that evidence.
Executive priority
Prioritize this where macOS endpoints support privileged users, developers, administrators, or business-critical workflows. The decision value is coverage validation: confirm whether endpoint logging, managed detection, and incident response playbooks can surface hidden-path LaunchAgent/LaunchDaemon activity and file flag changes. This also supports audit and compliance evidence by showing that macOS persistence and concealment behaviors are monitored, not just Windows-centric activity.
Technical view
For SOC and detection engineering teams, validate telemetry for macOS command execution that modifies file flags, especially use of Apple-specific hidden attributes, and for creation of plist files in hidden or non-standard LaunchAgent/LaunchDaemon-related paths. Because no ATT&CK tactic or formal detection logic is supplied, treat this as an analytic validation target rather than a complete rule. Baseline legitimate administrative or software-management activity that may set hidden flags or create plist files, then tune for unusual paths, parent processes, users, and timing.
Likely telemetry
- macOS process execution telemetry, including command line and parent process context
- File metadata or file attribute change events showing hidden flag modifications
- File creation events for plist files
- Path telemetry for hidden directories and non-standard LaunchAgent or LaunchDaemon locations
- Endpoint detection or system audit logs that preserve user, process, timestamp, and file path context
Detection direction
- Confirm that macOS command-line activity related to file flag modification is collected with sufficient command-line detail.
- Validate monitoring for plist creation in hidden directories and non-standard LaunchAgent/LaunchDaemon paths.
- Tune detections against known software deployment, device management, and administrator workflows to reduce false positives.
- Look for combinations of concealment and persistence indicators, such as hidden path usage plus plist creation, rather than isolated hidden-file activity alone.
- Document blind spots where endpoint agents do not capture file attribute changes, hidden paths, or full process ancestry on macOS.
Mitigation priorities
- Establish and enforce approved macOS management workflows for LaunchAgents and LaunchDaemons.
- Restrict unnecessary administrative privileges that allow users or processes to modify sensitive persistence locations.
- Ensure endpoint logging or EDR configuration captures macOS process execution, file creation, and file attribute changes.
- Review hardening and monitoring coverage for hidden directories used outside expected application or management paths.
- Include this behavior in macOS incident response triage checklists so responders know to inspect hidden paths and plist creation activity.
Analyst notes and limits
The supplied object is a detection analytic for macOS with a description focused on hidden files via chflags hidden or Apple-specific attributes and unusual plist creation in hidden paths. No relationships, aliases, tactic mapping, or official detection logic were supplied, so recommendations are framed as validation and coverage guidance rather than a definitive detection rule.
Assessment is limited to the official STIX fields, the MITRE external reference, and the provided description. Local baselines are required to distinguish legitimate macOS administration or software-management behavior from suspicious activity. No active exploitation, actor attribution, impact, or guaranteed detection coverage is implied.
Analytic 1386
Hidden files via 'chflags hidden' or Apple-specific attributes, LaunchAgents/LaunchDaemons placed in non-standard hidden directories. Defender view: detect command execution modifying file flags and unusual plist creation in hidden paths.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f0cdeca8eb77… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1386Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.