AN1454: Analytic 1454
Execution of system info utilities like `systemsetup`, `sw_vers`, `uname`, or `sysctl` by terminal or scripted processes.
Analyst context for executives and security teams
This analytic is about spotting macOS terminal or scripted execution of common system information utilities such as `systemsetup`, `sw_vers`, `uname`, and `sysctl`. On its own, this behavior can be normal administration, troubleshooting, or software inventory activity. Its decision value is that it can also help identify when a process is collecting host details that may matter during an investigation, especially if it occurs from unusual users, unfamiliar scripts, unexpected parent processes, or outside approved management workflows.
Executive priority
Treat this as a validation point for macOS visibility rather than a standalone high-severity alert. Security leaders should ask whether SOC and incident response teams can reliably see command-line process execution on macOS endpoints, distinguish approved IT automation from unusual scripted activity, and preserve that evidence for investigations and audit support. The priority is operational readiness: without this telemetry, teams may miss early context-gathering behavior or lack evidence needed to reconstruct activity on macOS systems.
Technical view
For SOC and detection teams, validate coverage for macOS process execution involving `systemsetup`, `sw_vers`, `uname`, and `sysctl`, especially when launched by terminal or scripted processes. Because the ATT&CK object does not provide official detection logic, tactics, or relationship context, this should be implemented as contextual detection or enrichment rather than a high-confidence malicious indicator. Useful triage dimensions include parent process, user account, command line, script path, execution frequency, host role, and whether the activity aligns with known administrative tooling or software management.
Likely telemetry
- macOS process creation events
- Command-line arguments for process execution
- Parent-child process relationships
- User account and session context
- Script execution context and script file paths where available
Detection direction
- Confirm that macOS endpoint telemetry records executions of `systemsetup`, `sw_vers`, `uname`, and `sysctl` with command-line and parent process details.
- Baseline expected administrative, inventory, troubleshooting, and management-tool usage to reduce false positives.
- Prioritize review when these utilities are launched by unusual scripts, unexpected terminal sessions, unfamiliar users, or processes not associated with approved IT workflows.
- Use this analytic as a supporting signal in investigations rather than a standalone determination of malicious activity, since the official ATT&CK object provides no detection logic or relationship context.
- Check for blind spots on unmanaged macOS assets, limited command-line logging, short telemetry retention, and missing script provenance.
Mitigation priorities
- Ensure macOS endpoints that matter to the business are covered by endpoint logging capable of process and command-line visibility.
- Document approved administrative and inventory workflows that commonly call these utilities so SOC teams can tune detections responsibly.
- Restrict or monitor script execution paths and administrative access according to least-privilege practices where organizational policy supports it.
- Retain endpoint telemetry long enough to support incident response reconstruction and compliance evidence needs.
- Review unmanaged or lightly managed macOS systems as a visibility gap, especially where they support sensitive business functions.
Analyst notes and limits
This object is a detection analytic for macOS system information utility execution. The supplied ATT&CK data contains a description but no official detection logic, tactics, relationships, aliases, or labels. The strongest use is as a coverage and triage prompt: verify whether the organization can observe and contextualize this behavior on macOS endpoints.
The supplied fields do not support claims about active exploitation, specific adversaries, impact, prevalence, or guaranteed detection. Because system information utilities are commonly used for legitimate administration, local baselines and environment-specific allowlists are required before assigning severity.
Analytic 1454
Execution of system info utilities like `systemsetup`, `sw_vers`, `uname`, or `sysctl` by terminal or scripted processes.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e873368cb32f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1454Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.