AN0042: Analytic 0042
Detects files collected into user temp or shared directories followed by compression with ditto, zip, or custom scripts.
Analyst context for executives and security teams
This analytic is about a macOS pattern where files are gathered into user temporary or shared locations and then compressed with tools such as ditto, zip, or scripts. For leaders, the significance is that compression after staging can be a precursor to data movement or incident escalation, so coverage helps validate whether the organization can see suspicious preparation of files before a larger response decision is needed.
Executive priority
Prioritize this as a macOS visibility and incident-readiness check rather than a standalone proof of compromise. Security leaders should ask whether endpoint logging can show file staging in user temp/shared directories, whether compression activity is retained long enough for investigation, and whether SOC procedures distinguish normal administrative or user archiving from suspicious collection behavior. This supports business continuity, compliance evidence, and IR readiness by improving the ability to reconstruct what files may have been gathered and packaged.
Technical view
For macOS systems, validate detection logic around sequences where files are collected into user temp or shared directories and then compressed using ditto, zip, or custom scripts. Because the ATT&CK object provides no official detection logic and no tactic mapping, teams should treat this as a behavioral analytic requiring local tuning. Focus on event sequence, directory context, process lineage, command-line visibility where available, archive creation metadata, and whether the activity is unusual for the user, host, or application involved.
Likely telemetry
- macOS endpoint process execution events
- Process command-line arguments for ditto, zip, shells, or script interpreters
- File creation and modification events in user temp directories
- File creation and modification events in shared directories
- Archive file creation events and file metadata
Detection direction
- Validate that macOS telemetry captures both file staging locations and subsequent compression activity, not just process execution alone.
- Tune for sequences: multiple files appearing in temp/shared locations followed by archive creation or compression commands.
- Review benign sources of noise such as software installers, backup utilities, developer workflows, helpdesk activity, and normal user file sharing.
- Account for custom scripts by looking beyond tool names to archive creation behavior, script interpreter execution, and process lineage.
- Because no relationship context or official detection details are supplied, avoid treating this analytic as high-confidence without corroborating endpoint, user, and file context.
Mitigation priorities
- Ensure macOS endpoint logging and retention are sufficient for process, command-line, file, and user-context investigation.
- Limit unnecessary use of shared directories and review permissions where business processes allow.
- Establish baselines for expected compression utilities and scripted archiving activity on macOS endpoints.
- Create SOC triage guidance for archive creation in temp/shared paths, including how to identify owner, source files, parent process, and business justification.
- Use findings from alerts to improve endpoint hardening, access governance, and incident response evidence collection.
Analyst notes and limits
This is a detection analytic object, not a technique object. The supplied ATT&CK data only states that it applies to macOS and detects files collected into user temp or shared directories followed by compression with ditto, zip, or custom scripts. No tactics, relationships, or official detection implementation are provided, so local environment context is essential.
The source does not provide official detection logic, related techniques, adversary relationships, data components, false-positive notes, or mitigation mappings. This take should not be read as evidence of active exploitation, attribution, impact, or confirmed coverage in any environment.
Analytic 0042
Detects files collected into user temp or shared directories followed by compression with ditto, zip, or custom scripts.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5e952d1daab6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0042Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.