AN0413: Analytic 0413
Destruction via `rm -rf`, overwrite with `dd` or `srm`, often executed by script in /tmp or /private/tmp, may also involve file overwrite to political or decoy image data.
Analyst context for executives and security teams
AN0413 is a macOS-focused detection analytic for destructive file activity: bulk deletion or overwriting of files, potentially launched from temporary directories. For leaders, the practical concern is not attribution but resilience: if this behavior occurs on endpoints that support business operations, the organization needs reliable endpoint telemetry, rapid containment procedures, and recoverable backups to distinguish legitimate administration from destructive activity quickly.
Executive priority
Treat this as a validation point for macOS incident readiness and business continuity. Security leaders should ask whether SOC teams can see high-risk deletion or overwrite behavior on macOS, whether scripts executing from /tmp or /private/tmp are monitored, and whether recovery procedures can restore affected data without relying only on endpoint detection. Because no ATT&CK tactic or mitigation text is supplied, prioritize evidence-based control validation rather than assuming full coverage.
Technical view
For SOC, detection engineering, and IR teams, validate visibility into macOS processes performing destructive file operations, especially recursive deletion or file overwrite behavior associated with utilities named in the ATT&CK description and execution from temporary paths such as /tmp or /private/tmp. Since the official detection field is not provided and no relationships are supplied, teams should develop local detection logic around process execution context, command-line evidence where available, parent process/script lineage, affected file volume, and unusual overwrite patterns, then tune against known administrative, software update, backup, and cleanup workflows.
Likely telemetry
- macOS endpoint process execution events
- Command-line arguments where collected
- Parent-child process relationships and script interpreter activity
- File deletion and file overwrite events
- File path context for /tmp and /private/tmp execution
Detection direction
- Validate whether macOS telemetry captures destructive command behavior with sufficient command-line and file path detail.
- Prioritize correlation of destructive file activity with execution from temporary directories, because the ATT&CK description specifically calls out /tmp and /private/tmp.
- Tune for false positives from legitimate administrative cleanup, application installers, software updates, developer workflows, and backup maintenance jobs.
- Use volume, speed, path scope, parent process, user context, and script lineage to separate routine deletion from potentially destructive behavior.
- Because no official detection logic is supplied, test detections in the local environment before using them as compliance or coverage evidence.
Mitigation priorities
- Confirm recoverable, tested backups for macOS systems and business-critical data before relying on detection alone.
- Restrict unnecessary script execution and administrative privileges on macOS endpoints where operationally feasible.
- Monitor and govern temporary directory execution patterns, especially scripts launched from /tmp or /private/tmp.
- Ensure incident response playbooks include rapid isolation, evidence preservation, and recovery steps for suspected destructive endpoint activity.
- Document telemetry coverage and detection tests as audit evidence for endpoint monitoring and resilience controls.
Analyst notes and limits
This object is an ATT&CK detection analytic, not a technique description. The supplied fields support a narrow macOS defensive interpretation around destructive file deletion or overwrite behavior. No tactic, relationship context, official detection text, actor linkage, or active exploitation claim is provided, so this take focuses on practical validation of telemetry, detection engineering, and recovery readiness.
The source object provides no official detection logic, no ATT&CK tactics, no related techniques, no mitigations, and no procedure examples beyond the short description. Local environment baselining is required to determine normal administrative behavior, detection fidelity, and business impact.
Analytic 0413
Destruction via `rm -rf`, overwrite with `dd` or `srm`, often executed by script in /tmp or /private/tmp, may also involve file overwrite to political or decoy image data.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c283272fd146… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0413Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.