AN0060: Analytic 0060
Correlates zsh shell configuration file changes (e.g., ~/.zshrc, ~/.zlogin, /etc/zprofile) with execution of unauthorized binaries or unexpected network activity triggered on Terminal.app launch.
Analyst context for executives and security teams
This analytic matters because macOS shell startup files can turn a normal Terminal.app launch into automatic execution of an unauthorized binary or unexpected network activity. For leaders, the decision value is whether endpoint monitoring can connect a configuration change to later behavior, rather than treating each event as isolated noise.
Executive priority
Prioritize this where macOS systems are used by administrators, developers, executives, or other users with access to sensitive systems. The business question is whether the organization can prove when shell profile changes occur, who made them, and whether those changes lead to suspicious execution or network connections. This supports incident response readiness, audit evidence for endpoint control monitoring, and prioritization of macOS visibility gaps.
Technical view
Validate coverage on macOS for changes to zsh configuration files such as ~/.zshrc, ~/.zlogin, and /etc/zprofile, then correlate those changes with subsequent unauthorized binary execution or unexpected network activity associated with Terminal.app launch. Because no ATT&CK detection logic is supplied, teams should define local baselines for expected shell profile edits, approved administrative scripts, normal developer tooling, and expected outbound connections.
Likely telemetry
- macOS file modification events for user and system zsh startup files
- Process creation telemetry for Terminal.app and child processes
- Binary execution evidence, including path, signer or trust status where available, user, and command-line context
- Network connection telemetry linked to processes launched from Terminal.app
- User identity and host context for the account and device where the configuration change occurred
Detection direction
- Correlate shell configuration file modification with later Terminal.app-launched process execution or network activity rather than alerting on file change alone.
- Tune for legitimate administrative, developer, and dotfile-management activity to reduce false positives.
- Review whether endpoint tooling captures hidden user home directory files and system-level shell profile paths on macOS.
- Look for unexpected binaries, unusual execution paths, unsigned or unauthorized tools, or network destinations inconsistent with the user or host role.
- Because no relationship context or tactics are supplied, avoid mapping this analytic to broader intrusion conclusions without corroborating evidence.
Mitigation priorities
- Establish approved baselines for macOS shell startup files and expected administrative changes.
- Restrict unnecessary write access to system-level shell profile locations such as /etc/zprofile.
- Use endpoint controls to monitor and govern execution of unauthorized binaries on macOS.
- Ensure incident response playbooks include review of user shell startup files during macOS investigations.
- Maintain asset and user context so SOC teams can distinguish expected developer customization from suspicious persistence-like behavior.
Analyst notes and limits
The supplied object is a detection analytic for macOS focused on correlating zsh shell configuration file changes with unauthorized execution or unexpected network activity on Terminal.app launch. No tactics, relationships, aliases, or official detection implementation are provided, so the take emphasizes validation and correlation rather than a specific rule.
ATT&CK did not supply detection logic, tactic mappings, related techniques, or relationship context for this object. Local baselines, endpoint telemetry quality, and macOS fleet usage determine practical coverage and alert fidelity.
Analytic 0060
Correlates zsh shell configuration file changes (e.g., ~/.zshrc, ~/.zlogin, /etc/zprofile) with execution of unauthorized binaries or unexpected network activity triggered on Terminal.app launch.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 819f113e6d13… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0060Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.