Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0500: Analytic 0500

Correlated evidence where Safari/Chrome/WebKit-based processes issue network requests for uncommon or obfuscated JS resources followed by spawning of script interpreters, launchd or ad-hoc binaries, unusual child processes, or dynamic library loads into browser processes. Defender sees: proxy/HTTP logs with suspicious resource content + unifiedlogs/ASL showing browser/plugin crashes or extension loads + process events indicating child process creation and file writes to /var/folders or /tmp shortly after the fetch.

EnterpriseAN0500AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because it ties suspicious browser-delivered JavaScript on macOS to what happens next on the endpoint. For leaders, the value is not simply identifying an odd web request; it is validating whether the organization can connect proxy or HTTP evidence with macOS process, crash, extension-load, file-write, and dynamic-library activity quickly enough to support incident decisions.

Executive priority

Prioritize this as a coverage-validation item for macOS fleets where Safari, Chrome, or WebKit-based browsing is material to business operations. The executive question is whether SOC and IR teams can correlate web-layer signals with endpoint behavior after a suspicious resource fetch. This supports resilience, audit evidence, and incident triage by showing whether the organization can distinguish a blocked or harmless web event from activity that created files, spawned interpreters, invoked launchd, launched ad-hoc binaries, or modified browser process behavior.

Technical view

The supplied analytic is macOS-specific and describes correlated evidence: Safari/Chrome/WebKit-based processes requesting uncommon or obfuscated JavaScript resources, followed shortly by suspicious child process creation, script interpreter execution, launchd activity, ad-hoc binaries, unusual file writes to /var/folders or /tmp, browser/plugin crashes, extension loads, or dynamic library loads into browser processes. Because ATT&CK does not provide a separate detection block or relationship context for this object, defenders should treat the description itself as the validation logic and test whether their telemetry can join web/proxy events to macOS endpoint events by process, user, host, URL, timestamp, and file path.

Likely telemetry

  • Proxy, secure web gateway, or HTTP logs showing requested JavaScript resources and resource metadata
  • Browser process telemetry for Safari, Chrome, and WebKit-based processes on macOS
  • macOS process creation events, including parent-child relationships from browser processes
  • Evidence of script interpreter execution after browser network activity
  • launchd-related process or service activity following a browser fetch

Detection direction

  • Validate that web-layer logs and macOS endpoint telemetry can be correlated within a short time window after suspicious JavaScript resource requests.
  • Tune for uncommon or obfuscated JavaScript resource requests followed by endpoint behavior, rather than alerting on web requests alone.
  • Review browser child processes carefully; legitimate extensions, downloads, developer workflows, and enterprise browser tooling may create noisy but benign activity.
  • Confirm visibility into /var/folders and /tmp writes, because these temporary paths are explicitly called out in the analytic description.
  • Check whether unifiedlogs/ASL collection captures browser crashes, plugin events, and extension loads at a useful retention period.

Mitigation priorities

  • Ensure managed macOS endpoints collect process, file-write, dynamic-library, and relevant unified log telemetry.
  • Maintain web/proxy logging for browser requests with enough URL and content/resource metadata to identify unusual or obfuscated JavaScript resources.
  • Harden browser and extension management where appropriate, including control of unapproved extensions and risky plugin behavior.
  • Use endpoint controls to scrutinize or restrict unexpected browser-spawned interpreters, launchd activity, and ad-hoc binaries, consistent with business requirements.
  • Validate incident response playbooks for correlating web events to endpoint actions on macOS, including evidence preservation for temporary directories and browser logs.
Analyst notes and limits

No ATT&CK tactic, relationship context, or explicit detection logic was supplied beyond the official description. The strongest use of this object is as a correlation-quality test for macOS browser activity: can the team prove what happened immediately after a suspicious web resource was fetched?

This take is limited to the supplied STIX fields and external reference. It does not assert active exploitation, adversary attribution, impact, or guaranteed detection. Local telemetry availability, browser mix, macOS management status, and logging retention will determine practical coverage.

Official MITRE ATT&CK definition

Analytic 0500

Correlated evidence where Safari/Chrome/WebKit-based processes issue network requests for uncommon or obfuscated JS resources followed by spawning of script interpreters, launchd or ad-hoc binaries, unusual child processes, or dynamic library loads into browser processes. Defender sees: proxy/HTTP logs with suspicious resource content + unifiedlogs/ASL showing browser/plugin crashes or extension loads + process events indicating child process creation and file writes to /var/folders or /tmp shortly after the fetch.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c9033fe549848a2d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c9033fe54984…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0500
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use