AN0057: Analytic 0057
Creation of run-only AppleScripts or Mach-O binaries lacking symbol table and string references, especially when dropped by user space scripting engines or staging apps.
Analyst context for executives and security teams
This analytic points to suspicious macOS artifacts: run-only AppleScripts or Mach-O binaries that lack normal symbol-table and string references, particularly when introduced by user-space scripting engines or staging applications. For leaders, the value is not in treating this as a standalone verdict, but in asking whether macOS endpoints produce enough file, process, and script-execution evidence for defenders to recognize opaque or staged code before it becomes an incident blind spot.
Executive priority
Prioritize this where macOS systems support business-critical users, administrators, developers, or regulated workflows. The business question is whether endpoint monitoring and incident response processes can explain newly created executable or script artifacts that are intentionally hard to inspect. This supports resilience, audit readiness, and SOC triage quality by validating that macOS file creation, process lineage, and artifact inspection are covered rather than assumed.
Technical view
For SOC and detection engineering teams, validate visibility on macOS for creation of run-only AppleScripts and Mach-O binaries with limited static inspection value, such as missing symbol-table or string references. Because ATT&CK provides no tactic, relationship context, or official detection logic for this analytic, treat it as a suspicious-artifact enrichment or triage signal rather than a complete detection. Correlate artifact creation with parent processes, especially user-space scripting engines or staging applications, and with subsequent execution behavior where locally available.
Likely telemetry
- macOS file creation events for AppleScript and Mach-O artifacts
- Endpoint process creation and parent-child process lineage
- Script execution telemetry from user-space scripting engines where available
- File metadata and static-analysis attributes, including symbol-table and string-reference availability
- Code signing, quarantine, provenance, or download metadata when collected
Detection direction
- Confirm whether current macOS endpoint tooling records both artifact creation and the creating process, not just execution.
- Use the described artifact properties as a triage condition: run-only AppleScripts or Mach-O binaries lacking normal symbol/string visibility are suspicious when newly dropped or staged.
- Tune for context to reduce false positives, since legitimate packaged or stripped binaries may also have limited symbols or strings.
- Prioritize correlation with user-space scripting engines or staging applications, as explicitly noted in the ATT&CK description.
- Document blind spots where file metadata, static inspection attributes, or parent-process lineage are unavailable.
Mitigation priorities
- Establish or validate macOS endpoint visibility for file creation, process lineage, script execution, and executable metadata.
- Harden operational handling of unknown or newly introduced scripts and binaries through review, allowlisting, and software provenance controls where appropriate.
- Ensure incident response playbooks include collection of the dropped artifact, parent process, signing/provenance data, and surrounding user activity.
- Use findings to guide control investment for macOS fleets where current telemetry cannot distinguish normal software packaging from suspicious opaque artifacts.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for macOS artifacts, not a technique with mapped tactics or relationships. Its practical value is as a coverage-validation and triage prompt for macOS endpoint monitoring, especially around artifacts that are hard to inspect and are created by scripting or staging processes.
Official detection content and relationship context were not provided. No claims can be made here about active exploitation, adversary attribution, prevalence, impact, or guaranteed detection. Local baselines are required to separate legitimate stripped or packaged software from suspicious newly dropped artifacts.
Analytic 0057
Creation of run-only AppleScripts or Mach-O binaries lacking symbol table and string references, especially when dropped by user space scripting engines or staging apps.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 957bb3a92825… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0057Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.