AN0013: Analytic 0013
Execution of renamed or relocated native macOS utilities with uncommon names or non-default paths (e.g., renamed `osascript`, `bash`, or `curl`).
Analyst context for executives and security teams
This analytic is about a practical macOS evasion signal: trusted native utilities such as osascript, bash, or curl being executed after they have been renamed or moved to unusual paths. For leaders, the value is not that the utility itself is malicious, but that renamed or relocated system tools can weaken assumptions in allowlists, monitoring rules, audit evidence, and incident scoping.
Executive priority
Prioritize this as a macOS visibility and control validation item. Security leaders should ask whether endpoint telemetry can reliably show process names, original executable paths, command-line context, and file locations for native macOS utilities. This matters for SOC readiness and incident response because renamed built-in tools can make activity look less recognizable during triage. It also supports compliance evidence where organizations must demonstrate monitoring of endpoint execution and suspicious use of administrative or scripting utilities.
Technical view
For SOC, detection engineering, and IR teams, validate whether macOS process execution telemetry can identify native utilities running under uncommon names or from non-default paths. The supplied ATT&CK object does not specify tactics or a detection method, so implementation should be based on local baselines of expected macOS utility locations and names. Focus on discrepancies between process name, executable path, and known native utility identity, especially for examples provided by MITRE: osascript, bash, and curl. Treat this as a triage signal that requires context rather than a standalone verdict.
Likely telemetry
- macOS process execution events
- Executable path and filename metadata
- Command-line arguments where collected
- File creation, rename, or move events for native utility binaries
- Code signing or file identity metadata where available
Detection direction
- Baseline expected names and default paths for native macOS utilities used in the environment.
- Alert or hunt for native utilities executed from uncommon paths or under uncommon filenames, using the examples in the ATT&CK description as seed cases.
- Correlate execution with recent file rename, copy, or relocation activity when telemetry is available.
- Tune carefully for legitimate software packaging, administrative scripts, developer workflows, and security tooling that may copy or wrap native utilities.
- Because no official detection text or tactic context is supplied, avoid treating this analytic as complete coverage; validate logic against local macOS fleet behavior and incident response requirements.
Mitigation priorities
- Ensure macOS endpoint logging captures process execution, executable path, and relevant command-line context.
- Maintain an approved baseline of native utility locations and expected administrative exceptions.
- Review application control, allowlisting, or endpoint policy assumptions that rely only on process names rather than path or file identity.
- Document investigation playbooks for renamed or relocated native utilities, including how analysts confirm legitimacy.
- Use findings to improve managed detection, incident response readiness, and audit evidence for endpoint monitoring coverage.
Analyst notes and limits
AN0013 is a detection analytic for macOS in the enterprise ATT&CK domain. The official description is narrow and useful: execution of renamed or relocated native macOS utilities with uncommon names or non-default paths. No relationships, tactics, aliases, labels, or official detection procedure were supplied, so this take frames the analytic as a validation and hunting direction rather than a finished rule.
This assessment is limited to the supplied ATT&CK fields and external reference. It does not establish adversary use, active exploitation, impact, or guaranteed detectability. Local macOS baselines, endpoint telemetry quality, and approved administrative workflows are required to determine signal value and false-positive rates.
Analytic 0013
Execution of renamed or relocated native macOS utilities with uncommon names or non-default paths (e.g., renamed `osascript`, `bash`, or `curl`).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 65f110a83594… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0013Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.