AN0228: Analytic 0228
Use of system binaries such as `osascript`, `bash`, or `curl` to download or execute unsigned code or files in conjunction with application proxying.
Analyst context for executives and security teams
This analytic matters because it focuses on a macOS pattern where trusted system binaries such as osascript, bash, or curl may be used to download or run unsigned code in connection with application proxying. For leaders, the practical issue is not the tools themselves—they are common administrative utilities—but whether the organization can distinguish normal macOS administration from suspicious execution chains that bypass expected application trust boundaries.
Executive priority
Prioritize this as a validation item for macOS endpoint visibility and incident readiness. It can inform decisions about whether existing endpoint monitoring, application control, code-signing policy, and SOC triage processes produce enough evidence to investigate suspicious use of built-in binaries. Because no tactic, relationship context, or official detection logic is supplied, treat it as a coverage-assessment prompt rather than a standalone risk claim.
Technical view
SOC and detection teams should validate telemetry for macOS process execution involving osascript, bash, curl, unsigned file creation or execution, and application proxying context. The key defensive question is whether analysts can reconstruct the parent-child process chain, command-line arguments, file provenance, signing status, and network activity around these binaries. Since ATT&CK provides no detection implementation for AN0228, local baselining is required to separate legitimate scripting, software installation, automation, and administration from unusual combinations of download, execution, and unsigned code.
Likely telemetry
- macOS process creation events for osascript, bash, curl, and related parent-child process chains
- Command-line arguments and script content where available
- File creation, download, quarantine, and execution metadata
- Code-signing or unsigned binary/file status
- Network connection or URL/domain activity associated with curl or scripted downloads
Detection direction
- Confirm that macOS endpoint telemetry captures command line, parent process, file path, signing status, and network context for the named system binaries.
- Baseline legitimate administrative, developer, software update, and automation use of osascript, bash, and curl to reduce false positives.
- Look for chained behavior: a trusted system binary downloads a file, creates or modifies executable content, and execution follows from an unexpected parent or application proxying context.
- Tune detections around unsigned code or files rather than simply alerting on use of common binaries, which are frequently benign.
- Validate whether SOC tooling can pivot from process execution to file provenance and network activity during triage.
Mitigation priorities
- Review macOS application control and code-signing enforcement expectations for unsigned code execution.
- Limit unnecessary script execution and download capability where business workflows allow, especially for unmanaged or high-risk endpoints.
- Harden monitoring for built-in binary abuse rather than blocking common tools without operational review.
- Ensure incident response playbooks include collection of process lineage, downloaded files, signing metadata, and related network indicators.
- Use the analytic as compliance and control evidence by showing whether macOS endpoint logging and investigation procedures can answer the required questions.
Analyst notes and limits
AN0228 is a detection analytic object for macOS only. The supplied ATT&CK fields identify the behavior pattern but do not provide tactics, detection pseudocode, data components, mitigations, or relationships to techniques or groups. The strongest use is as a detection-engineering and telemetry-validation checklist for suspicious macOS system-binary use involving unsigned code and application proxying.
No official detection text or relationship context was supplied. This summary does not assert active exploitation, attribution, impact, prevalence, or existing detection coverage. Local environment baselines and endpoint telemetry quality are required before this can become a reliable alert or control assessment.
Analytic 0228
Use of system binaries such as `osascript`, `bash`, or `curl` to download or execute unsigned code or files in conjunction with application proxying.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8eb0a199287b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0228Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.