AN0632: Analytic 0632
Detects binaries disguised as media or document types through extension-only masquerading or by modifying the file signature. Observes execution of files whose extension is not typically executable (.jpg, .txt), yet have valid Mach-O headers or execute via Terminal or launch services.
Analyst context for executives and security teams
This analytic matters because it focuses on a common user-trust and visibility problem on macOS: files that look like harmless documents or media by extension, but are actually executable or are launched through macOS execution paths. For leaders, the decision value is whether the organization can prove it can detect suspicious execution even when file names and extensions are misleading.
Executive priority
Prioritize this as a macOS endpoint visibility and incident readiness question. Executives should ask whether managed detection, SOC, and IR teams can identify executable content hidden behind non-executable-looking extensions, and whether evidence is retained to support containment, user-impact assessment, and audit response. This is especially relevant where macOS systems are used by privileged staff, developers, executives, or business functions with sensitive data access.
Technical view
Validate detection on macOS for execution of files with extensions not typically associated with executables, such as document or media-like extensions, when those files have valid Mach-O headers or are executed through Terminal or launch services. Because the official ATT&CK object provides no detection logic and no relationship context, teams should treat this as a detection objective rather than a complete rule. Confirm that endpoint telemetry captures file path, extension, file signature/header characteristics, process execution, parent process, Terminal-based execution, and launch services activity.
Likely telemetry
- macOS endpoint process execution events
- File path, filename, and extension metadata
- File header or file-type identification showing Mach-O content
- Parent/child process relationships, especially Terminal-launched execution
- Launch services execution evidence
Detection direction
- Test for files with non-executable-looking extensions that execute as Mach-O binaries.
- Correlate file extension with actual file signature/header rather than relying on filename alone.
- Tune for legitimate developer, testing, or administrative workflows that may execute unusually named binaries.
- Confirm visibility into both Terminal execution and launch services execution paths on macOS.
- Review blind spots where EDR, logging, or file inspection records extension but not file header/type.
Mitigation priorities
- Ensure macOS endpoint monitoring can inspect executable file type independently of extension.
- Harden user execution paths with least privilege and controlled application execution where operationally feasible.
- Use security awareness and handling procedures for unexpected document or media files that prompt execution behavior.
- Retain sufficient endpoint telemetry for IR to determine origin, user action, parent process, and subsequent activity.
- Validate managed detection or SOC coverage through safe internal testing that mirrors extension-only masquerading without relying on offensive tooling.
Analyst notes and limits
AN0632 is a detection analytic for macOS focused on binaries disguised as media or document types through extension-only masquerading or modified file signatures. The strongest operational use is to drive validation of endpoint telemetry and detection engineering assumptions: whether controls compare apparent file type to actual executable structure and whether macOS execution paths are observable.
The supplied ATT&CK object has no official detection text beyond the description, no tactics, no labels, and no relationship context. This take therefore does not infer adversary attribution, active exploitation, impacted sectors, or guaranteed detection coverage. Local baselines are required to distinguish suspicious masquerading from legitimate administrative or development activity.
Analytic 0632
Detects binaries disguised as media or document types through extension-only masquerading or by modifying the file signature. Observes execution of files whose extension is not typically executable (.jpg, .txt), yet have valid Mach-O headers or execute via Terminal or launch services.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e94c6c05739b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0632Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.