AN0438: Analytic 0438
Unexpected apps or scripts (osascript, curl, Automator workflows) exfiltrating data via webhooks. Defender perspective: correlation of clipboard/file read operations followed by HTTPS POST traffic to webhook services.
Analyst context for executives and security teams
This analytic matters because it focuses on a common macOS data-loss pattern: an unexpected application or script reads local data, such as clipboard or files, and then sends it out over HTTPS to a webhook service. For leaders, the value is not just detecting a specific tool name; it is validating whether the organization can connect endpoint activity with outbound network behavior quickly enough to identify possible exfiltration from user workstations.
Executive priority
Prioritize this where macOS systems handle sensitive business data, credentials, source code, customer records, or regulated information. The key business question is whether security teams can prove they collect enough endpoint and network evidence to investigate suspicious data movement from macOS devices. This also supports incident response readiness and compliance evidence by showing whether clipboard/file access and outbound HTTPS POST activity can be correlated during a suspected data-loss event.
Technical view
For SOC, detection engineering, and IR teams, validate telemetry that can correlate macOS process behavior with network egress. The ATT&CK object specifically calls out unexpected apps or scripts, including osascript, curl, and Automator workflows, exfiltrating via webhooks. Detection should focus on suspicious sequences: clipboard or file read activity followed by HTTPS POST traffic to webhook services. Because no official detection logic is provided, teams should build local analytics around known-good macOS automation, developer, IT admin, and business workflow patterns to reduce noise.
Likely telemetry
- macOS endpoint process execution telemetry, especially for osascript, curl, and Automator workflow activity
- File read/access events from macOS endpoints where available
- Clipboard access or clipboard-read telemetry where available
- Outbound HTTPS connection metadata from macOS endpoints
- HTTP method and destination context sufficient to identify POST traffic to webhook services
Detection direction
- Validate whether endpoint tooling records the parent process, command context, user, and script/application responsible for outbound HTTPS activity on macOS.
- Tune for suspicious correlation rather than single indicators: unexpected file or clipboard access followed by HTTPS POST traffic to webhook destinations.
- Establish baselines for legitimate automation, developer tooling, IT administration, and approved webhook integrations to manage false positives.
- Review visibility gaps caused by encrypted HTTPS where only limited destination or method data may be available.
- Ensure alerts preserve enough evidence for triage: host, user, process, accessed data location if available, destination, timing, and volume context.
Mitigation priorities
- Inventory and govern approved macOS automation and scripting use, including Automator workflows and script interpreters where practical.
- Restrict or monitor unnecessary script-driven outbound access from macOS endpoints based on business role and risk.
- Strengthen egress monitoring for webhook destinations and unusual HTTPS POST activity from user workstations.
- Protect sensitive local data locations with least-privilege access and monitor reads where telemetry supports it.
- Document the required evidence for macOS data-exfiltration investigations so SOC and IR teams can demonstrate readiness during audits or incidents.
Analyst notes and limits
This is a detection analytic object for enterprise ATT&CK, platform macOS, external ID AN0438. It provides a useful defender perspective but does not include formal detection logic, tactics, relationships, or linked techniques in the supplied data. The strongest use is as a validation prompt for macOS endpoint and egress telemetry correlation.
The supplied ATT&CK fields do not specify tactics, related techniques, adversary use, impact, or official detection pseudocode. Any production rule, severity model, webhook service list, or claim of coverage requires local environment evidence and additional engineering beyond this object.
Analytic 0438
Unexpected apps or scripts (osascript, curl, Automator workflows) exfiltrating data via webhooks. Defender perspective: correlation of clipboard/file read operations followed by HTTPS POST traffic to webhook services.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f6631a745833… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0438Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.