AN0294: Analytic 0294
Unsigned or scripting-based processes invoking password cracking binaries or accessing hashed credential artifacts post-login
Analyst context for executives and security teams
This analytic is relevant to macOS environments because it focuses on suspicious post-login activity: unsigned or script-driven processes invoking password-cracking binaries or accessing hashed credential artifacts. For leaders, the practical issue is not the specific tool name, but whether the organization can see and investigate credential-compromise behavior after an account or endpoint session has already been established.
Executive priority
Treat this as a validation point for macOS endpoint visibility and incident readiness. If credential artifacts can be accessed or cracking utilities can run without reliable telemetry, investigations may miss activity that affects identity assurance, privileged access risk, and business continuity. Security leaders should ask whether macOS endpoints are covered by process, signing, script execution, and sensitive file-access monitoring, and whether SOC playbooks distinguish legitimate administration from credential-theft behavior.
Technical view
For SOC and detection teams, validate whether macOS telemetry can identify unsigned processes, scripting-based parent processes, execution of password-cracking binaries, and access to hashed credential artifacts after user login. Because ATT&CK provides no official detection logic, tuning must be environment-specific: establish known administrative and security-testing activity, then prioritize unusual script interpreters, unsigned binaries, suspicious parent-child process chains, and access to credential-related files by unexpected users or processes.
Likely telemetry
- macOS process creation and command-line telemetry
- Code-signing or binary trust metadata for executed processes
- Script interpreter execution events
- Parent-child process relationships
- File access events for hashed credential artifacts
Detection direction
- Confirm that macOS endpoints report process execution with command line, parent process, user, and signing status.
- Baseline legitimate administrative, security testing, and developer activity that may involve scripts or credential-audit tools.
- Correlate suspicious process execution with access to hashed credential artifacts rather than relying on tool names alone.
- Review blind spots around unsigned binaries, locally compiled tools, renamed binaries, and script-launched utilities.
- Because no ATT&CK detection logic is supplied, require local test data and analyst review before treating matches as high-confidence incidents.
Mitigation priorities
- Prioritize macOS endpoint telemetry coverage for process execution, script activity, code-signing status, and sensitive file access.
- Restrict unnecessary access to credential-related artifacts and enforce least privilege for local administrative rights.
- Control execution of unsigned or untrusted binaries where operationally feasible.
- Maintain approved-use documentation for password-auditing tools so SOC teams can separate authorized testing from suspicious activity.
- Ensure incident response procedures include credential-risk assessment when this behavior is observed.
Analyst notes and limits
The object is an ATT&CK detection analytic for macOS with a narrow description and no supplied tactic, relationship context, or official detection implementation. Its value is as a coverage and validation prompt for post-login credential-risk monitoring on macOS, not as a complete detection rule.
No relationships, tactics, concrete data components, rule logic, procedure examples, or mitigation mappings were supplied. Any deployment, severity, or coverage conclusion requires local telemetry, asset context, approved-tool inventory, and testing.
Analytic 0294
Unsigned or scripting-based processes invoking password cracking binaries or accessing hashed credential artifacts post-login
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 52d7ffc11ca0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0294Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.