AN0073: Analytic 0073
Abuse of macOS Electron apps by modifying app.asar bundles and spawning child processes (osascript, curl, sh) from Electron executables.
Analyst context for executives and security teams
This analytic matters because it focuses on a macOS application trust problem: Electron apps can be abused when their app.asar bundles are modified and the Electron executable then launches suspicious child processes such as osascript, curl, or sh. For leaders, the key issue is not just malware detection; it is whether the organization can prove that managed macOS endpoints, developer workstations, and privileged user devices have enough application integrity and process telemetry to notice tampered desktop applications behaving like script launchers or downloaders.
Executive priority
Prioritize this as a macOS endpoint visibility and application integrity question. Security leaders should ask whether the SOC can see Electron application process trees, whether endpoint management can validate application tampering or unexpected bundle changes, and whether incident responders have evidence to determine which users, apps, and spawned processes were involved. This is especially relevant where macOS systems support executives, developers, administrators, or other high-value users.
Technical view
The supplied ATT&CK object is a detection analytic for macOS. It describes detecting abuse of Electron apps through modified app.asar bundles and child processes spawned from Electron executables, specifically osascript, curl, and sh. SOC and detection teams should validate whether endpoint telemetry links Electron parent processes to child process creation, whether command-line details are captured, and whether file integrity or application bundle change evidence exists for app.asar. Because no official detection logic is provided, local baselining is required to distinguish legitimate Electron app behavior from suspicious script execution or network tooling launched by the app.
Likely telemetry
- macOS process creation events with parent-child relationships
- Command-line arguments for Electron executables and child processes
- File modification or integrity telemetry for Electron application bundles, including app.asar
- Endpoint security alerts or EDR observations for osascript, curl, and sh launched by GUI applications
- Application inventory and code-signing or bundle metadata where available
Detection direction
- Validate that telemetry preserves parent Electron executable, child process name, command line, user, host, and timestamp.
- Look for Electron applications spawning osascript, curl, or sh, then tune against known legitimate application update, helper, or automation behavior.
- Where file telemetry exists, correlate suspicious child process execution with recent modification of app.asar inside the same application bundle.
- Baseline common Electron applications in the environment before alerting broadly to reduce false positives.
- Confirm coverage on managed macOS endpoints used by high-value users; unmanaged or lightly monitored Macs are a likely blind spot.
Mitigation priorities
- Maintain reliable macOS endpoint monitoring for process creation, command line, and parent-child process relationships.
- Use application management and integrity controls to reduce unauthorized modification of installed Electron application bundles.
- Restrict or monitor risky script and shell execution from user-facing applications where operationally feasible.
- Ensure incident response playbooks include triage of modified application bundles and spawned child processes on macOS.
- Prioritize coverage for privileged users, developers, and business-critical macOS systems before expanding enterprise-wide tuning.
Analyst notes and limits
This object is an ATT&CK detection analytic, not a technique. It provides a concise behavior description but no official detection query, no mapped tactics, and no relationship context. The strongest defensive value is in using it to test whether macOS endpoint telemetry can connect application bundle tampering with suspicious child process activity from Electron apps.
The supplied fields only support macOS and the described Electron app.asar abuse pattern. There is no official detection text, no associated ATT&CK technique relationship, no adversary or campaign attribution, and no evidence of active exploitation. Local environment telemetry and baselining are required before making coverage or risk claims.
Analytic 0073
Abuse of macOS Electron apps by modifying app.asar bundles and spawning child processes (osascript, curl, sh) from Electron executables.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 40b2c607f0f3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0073Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.