Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0333: Analytic 0333

Detects manipulation of PNG, JPG, or GIF files by user-initiated scripts followed by script execution or exfiltration behavior, especially from `osascript`, `python`, or `bash`, in combination with LaunchAgent persistence or curl activity.

EnterpriseAN0333AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it points to a macOS behavior pattern where ordinary-looking image files such as PNG, JPG, or GIF are manipulated by user-initiated scripts and then followed by suspicious script execution, possible exfiltration activity, LaunchAgent persistence, or curl usage. For leaders, the value is not the file type itself; it is whether the organization can connect endpoint file activity, script interpreter activity, persistence signals, and network transfer behavior quickly enough to distinguish benign automation from suspicious post-compromise activity.

Executive priority

Prioritize this as a macOS endpoint visibility and response-readiness validation item. Security leaders should ask whether SOC and IR teams can prove coverage across script interpreters, image-file modifications, LaunchAgent creation or modification, and command-line network transfer activity. This is also useful for audit and resilience discussions because it tests whether monitoring can correlate multiple weak signals into a higher-confidence investigation lead rather than relying on a single indicator.

Technical view

Validate macOS telemetry for user-initiated scripts that manipulate PNG, JPG, or GIF files, especially where the initiating or subsequent process involves osascript, python, or bash. Increase investigative priority when the same user, host, process tree, or time window also shows LaunchAgent persistence activity or curl-based network activity. Because no ATT&CK tactic or full detection logic is supplied, teams should treat this as a correlation concept to operationalize in local EDR/SIEM logic rather than a complete rule.

Likely telemetry

  • macOS process execution telemetry including command line, parent process, user, timestamp, and process tree
  • File creation or modification events for PNG, JPG, and GIF files
  • Script interpreter execution events for osascript, python, and bash
  • LaunchAgent file creation or modification events
  • Network connection or command-line activity associated with curl

Detection direction

  • Correlate image-file manipulation by scripts with subsequent script execution, curl activity, or LaunchAgent persistence on the same host and user within a defined time window.
  • Tune for known benign workflows such as image processing, developer scripts, automation jobs, and administrative macOS management tasks.
  • Avoid alerting on file extension alone; the material signal is the combination of image manipulation, script interpreter behavior, and follow-on persistence or transfer activity.
  • Validate whether telemetry captures parent-child process relationships and command-line arguments for osascript, python, bash, and curl.
  • Review blind spots on unmanaged macOS endpoints, limited EDR command-line collection, privacy-restricted directories, and incomplete LaunchAgent monitoring.

Mitigation priorities

  • Ensure macOS endpoints are enrolled in managed endpoint monitoring with process, file, and relevant network telemetry enabled.
  • Baseline approved script automation and image-processing workflows to reduce false positives before enforcing high-severity alerting.
  • Monitor and govern LaunchAgent creation and modification as a persistence-relevant control area.
  • Restrict or review unnecessary script interpreter and curl usage where business processes allow.
  • Document detection evidence and response procedures so SOC and IR teams can quickly triage whether observed behavior is benign automation or suspicious activity.
Analyst notes and limits

The supplied object is a detection analytic for macOS only. It has no supplied ATT&CK tactics, no relationships, and no official detection implementation. The strongest use is as a defensive validation pattern: can the environment correlate script-driven image-file manipulation with persistence or network-transfer behavior?

This take is limited to the official STIX fields and external reference provided. It does not assert active exploitation, threat actor use, business impact, or guaranteed detection. Local process baselines, endpoint telemetry quality, and approved administrative workflows are required to operationalize and prioritize this analytic.

Official MITRE ATT&CK definition

Analytic 0333

Detects manipulation of PNG, JPG, or GIF files by user-initiated scripts followed by script execution or exfiltration behavior, especially from `osascript`, `python`, or `bash`, in combination with LaunchAgent persistence or curl activity.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b7837ae9ad265676...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b7837ae9ad26…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0333
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use