DET0109: Detection Strategy for Plist File Modification (T1647)
DET0109 is a MITRE detection strategy for identifying plist file modification associated with ATT&CK technique T1647. The business significance is that pli...
Analyst context for executives and security teams
DET0109 is a MITRE detection strategy for identifying plist file modification associated with ATT&CK technique T1647. The business significance is that plist changes on macOS can alter application configuration and runtime behavior in ways that may support defense impairment. For leaders, this is less about one file type and more about whether the organization can prove it has visibility into high-risk macOS configuration changes that could weaken controls or enable follow-on activity.
Executive priority
Prioritize this where macOS systems support sensitive users, administrators, developers, or regulated workflows. Because the related ATT&CK technique is tied to defense impairment, security leaders should ask whether endpoint telemetry, change monitoring, and incident response procedures can distinguish authorized application/configuration changes from suspicious plist modification. This can support resilience planning, audit evidence for endpoint control monitoring, and SOC readiness for macOS-focused incidents.
Technical view
The supplied ATT&CK object does not include official detection logic, platforms, or tactics, but its relationship states that it detects T1647: Plist File Modification, a macOS technique associated with defense impairment. SOC and detection teams should validate visibility into plist file creation, modification, ownership/permission changes, and process context around those changes. IR teams should be prepared to review changed plist contents, timestamps, responsible processes/users, and whether the change coincided with endpoint security degradation or other suspicious macOS activity.
Likely telemetry
- macOS endpoint file modification events for plist files
- Process execution context associated with plist changes
- User and account context for the modifying process
- File metadata such as path, owner, permissions, timestamps, and hash where available
- Endpoint security or EDR events indicating control tampering or degraded protection
Detection direction
- Validate that macOS plist file changes are logged with enough context to identify the process, user, path, and timing of the modification.
- Prioritize monitoring of plist changes that coincide with defense impairment signals or unexpected application behavior.
- Tune detections against legitimate software installation, application updates, administrative configuration changes, and managed deployment tooling to reduce false positives.
- Look for relationship-driven context: DET0109 is relevant because it detects T1647, which is associated with defense impairment on macOS.
- Do not assume coverage from generic file monitoring alone; confirm that plist formats and common macOS plist locations are actually included in collection and alerting scope.
Mitigation priorities
- Establish an inventory of expected macOS applications and approved configuration-management mechanisms.
- Restrict unnecessary administrative write access to sensitive application and system configuration locations where local policy allows.
- Use change management or device management records to baseline authorized plist modifications.
- Ensure endpoint monitoring remains active and generates evidence for suspicious plist changes and possible defense impairment.
- Document macOS plist monitoring and response procedures as compliance and incident readiness evidence.
Analyst notes and limits
This take is based on a sparse ATT&CK detection-strategy object. MITRE provided the detection strategy identity and relationship to T1647, but no official description or detection text for DET0109. The technical recommendations are therefore framed as validation areas derived from the related technique context rather than as MITRE-provided detection analytics.
Platforms and tactics are not specified on the DET0109 object itself. macOS and defense-impairment context come from the supplied relationship to T1647. Local baselines, approved software deployment processes, and available endpoint telemetry are required before determining alert severity or coverage.
Detection Strategy for Plist File Modification (T1647)
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1647 | Plist File Modification | This object detects Plist File Modification. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 811af7bb0206… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0109Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.