AN0533: Analytic 0533
Use of pbpaste, AppleScript, or third-party automation frameworks (e.g., Automator) to collect clipboard or file content in bursts. Observable via unified logs.
Analyst context for executives and security teams
This analytic matters because clipboard and file-content collection on macOS can expose sensitive business data such as copied credentials, tokens, documents, customer information, or operational notes. The ATT&CK object highlights behavior where built-in macOS capabilities or automation frameworks are used in bursts, making it a practical SOC question: can the organization see unusual clipboard or automation-driven content access in unified logs?
Executive priority
Prioritize this as a macOS visibility and data-protection validation item. Leaders should ask whether managed detection, incident response, and compliance evidence programs can show collection of relevant macOS unified logs and whether monitoring covers automation activity that may touch sensitive user data. The business risk is not tied to a named actor in the supplied object; it is the possibility that sensitive content copied or handled by users could be collected without strong visibility.
Technical view
For SOC and detection teams, validate telemetry for macOS use of pbpaste, AppleScript, and third-party automation frameworks such as Automator where activity occurs in bursts and may involve clipboard or file content. Because ATT&CK provides no formal detection logic or tactic mapping for this analytic, teams should treat it as a visibility and behavior-hunting requirement rather than a complete rule. Focus on whether unified logs are collected, normalized, retained, and searchable for relevant automation and clipboard-access patterns.
Likely telemetry
- macOS unified logs
- Process execution telemetry for macOS utilities and automation components
- Automation framework activity records where available
- Endpoint security or EDR events showing command/process lineage on macOS
- User/session context around burst activity involving clipboard or file-content access
Detection direction
- Confirm that macOS unified logs are actually collected from endpoints where this risk matters; absence of this telemetry is the main coverage gap identified by the object.
- Hunt for burst patterns involving clipboard access or automation-driven collection rather than isolated benign use.
- Tune with user and process context because legitimate productivity workflows may use clipboard tools, AppleScript, or Automator.
- Validate whether detections can distinguish expected administrative or user automation from unusual frequency, timing, parent process, or endpoint context.
- Document that ATT&CK did not provide official detection logic for this analytic, so local baselining and testing are required.
Mitigation priorities
- Establish macOS logging coverage and retention before relying on detections for this behavior.
- Limit or govern unnecessary automation capabilities where business workflows allow, especially on systems handling sensitive data.
- Use endpoint management and security controls to review which applications and scripts are permitted to automate user activity or access sensitive content.
- Include clipboard and automation abuse scenarios in incident response playbooks for macOS endpoints.
- Use findings to support compliance evidence around endpoint monitoring, sensitive data handling, and auditability of macOS activity.
Analyst notes and limits
This take is based only on ATT&CK analytic AN0533. The supplied object identifies macOS, pbpaste, AppleScript, third-party automation frameworks such as Automator, burst collection of clipboard or file content, and unified logs as an observable source. No relationship context, tactic mapping, actor association, or official detection logic was supplied.
Coverage cannot be inferred from the ATT&CK object alone. Organizations must validate local macOS logging configuration, endpoint telemetry quality, retention, and baselines for legitimate automation. The object does not support claims about active exploitation, specific threat groups, impact, or guaranteed detection.
Analytic 0533
Use of pbpaste, AppleScript, or third-party automation frameworks (e.g., Automator) to collect clipboard or file content in bursts. Observable via unified logs.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | bf28ac0c5867… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0533Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.