AN1563: Analytic 1563
Execution of commands to query system locale and language settings, such as 'defaults read -g AppleLocale' or 'systemsetup -gettimezone'. Unusual parent processes or execution contexts of these commands may indicate adversarial discovery.
Analyst context for executives and security teams
This analytic is about spotting macOS commands that check locale, language, or time zone settings. For leaders, the value is not the command itself; these checks can help distinguish normal administration from suspicious environment discovery when they run from unusual parent processes or unexpected execution contexts. It matters because early discovery behavior can be a useful decision point for SOC triage before a larger incident becomes visible.
Executive priority
Prioritize this as a macOS endpoint visibility and triage-quality question: can the organization prove it collects enough process execution context to tell normal system or admin activity from unusual discovery? This supports incident readiness, managed detection validation, and audit evidence around endpoint monitoring. It should not be treated as a high-confidence standalone signal; its business value depends on correlation with parent process, user, host role, timing, and other suspicious activity.
Technical view
Validate whether macOS telemetry records executions of locale and time zone discovery commands such as `defaults read -g AppleLocale` and `systemsetup -gettimezone`, along with command line, parent process, user, host, and execution context. Since no official detection logic is provided and no ATT&CK relationships are supplied, defenders should treat this as a behavioral analytic seed rather than a complete rule. SOC teams should focus on unusual parents, unexpected launch contexts, rare hosts or users, and correlation with other discovery or execution signals.
Likely telemetry
- macOS process creation events
- Command-line arguments
- Parent and grandparent process metadata
- User account and session context
- Host identity and asset role
Detection direction
- Confirm that macOS process telemetry includes full command-line and parent process details for the relevant commands.
- Baseline expected administrative, configuration management, and user-driven executions to reduce false positives.
- Tune for unusual parent processes or execution contexts rather than command execution alone.
- Correlate with nearby suspicious activity because the supplied analytic has no official detection implementation and no relationship context.
- Identify blind spots where shell activity, scripted execution, or endpoint logging exclusions may hide parent-child process lineage.
Mitigation priorities
- Ensure macOS endpoint monitoring is deployed and configured to capture process and command-line telemetry.
- Define approved administrative and management tooling patterns that may legitimately query locale or time zone settings.
- Use least-privilege and managed administration practices so unusual execution contexts are easier to investigate.
- Document triage procedures for discovery-like macOS commands, including when to escalate based on correlated evidence.
- Review logging retention and access so incident responders can reconstruct parent process and user context.
Analyst notes and limits
The official object is a detection analytic for macOS and describes command execution used to query system locale and language settings. Tactics are not specified, official detection text is not provided, and no relationships were supplied. The strongest defensible interpretation is that this is a context-dependent discovery signal, useful when parent process or execution context is abnormal.
This take is limited to the supplied ATT&CK fields and the single external reference. It does not establish adversary attribution, active exploitation, impact, prevalence, or guaranteed detection. Local baselines and endpoint telemetry quality are required to determine whether this analytic is useful in a specific environment.
Analytic 1563
Execution of commands to query system locale and language settings, such as 'defaults read -g AppleLocale' or 'systemsetup -gettimezone'. Unusual parent processes or execution contexts of these commands may indicate adversarial discovery.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 593b782a314e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1563Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.