AN0650: Analytic 0650
Unsigned processes accessing system memory or launching known credential scraping tools (e.g., osascript, dylib injections) to access the Keychain or sensitive memory regions.
Analyst context for executives and security teams
This analytic is about spotting potentially risky macOS behavior where unsigned processes access system memory or launch tools associated with credential scraping, including activity involving osascript, dynamic library injection, Keychain access, or sensitive memory regions. For leaders, the practical issue is credential risk: if macOS endpoint visibility cannot distinguish unsigned or suspicious processes interacting with credential stores or memory, incident responders may miss early evidence of account compromise or privilege misuse.
Executive priority
Prioritize this as a macOS identity and endpoint visibility question rather than a standalone detection guarantee. Security leaders should ask whether managed detection, EDR, and logging programs can show which processes are unsigned, which processes access Keychain or sensitive memory, and whether suspicious script or library-loading behavior is reviewed during credential-theft investigations. This matters for incident response readiness, privileged-access assurance, and audit evidence around endpoint control coverage.
Technical view
SOC and detection teams should validate macOS telemetry for unsigned process execution, process lineage, command-line activity, osascript usage, dynamic library load or injection indicators, Keychain access events, and access to sensitive memory regions. Because the official ATT&CK object does not provide detection logic, teams should treat AN0650 as a behavioral validation target: confirm that the data exists, then tune detections around abnormal unsigned process behavior interacting with credential-related resources. False positives may include legitimate unsigned internal tools, administrative scripts, or developer workflows, so code-signing status, parent process, user context, file path, and frequency should be used for triage.
Likely telemetry
- macOS process execution metadata, including parent-child process relationships
- Code-signing or unsigned binary status from endpoint telemetry
- Command-line and script execution records, especially osascript activity
- Dynamic library load or injection-related endpoint events where available
- Keychain access or credential-store interaction logs where available
Detection direction
- Confirm that macOS endpoint telemetry captures unsigned process execution and code-signing status before relying on this analytic.
- Baseline legitimate unsigned tools, developer utilities, and administrative scripts to reduce false positives.
- Review process lineage for unsigned processes that spawn or invoke osascript or other credential-adjacent tooling.
- Correlate suspicious process behavior with Keychain access, memory access, and dynamic library loading rather than alerting on unsigned status alone.
- Validate coverage on macOS specifically; no other platforms are supported by the supplied object.
Mitigation priorities
- Improve macOS endpoint visibility first: collect process, code-signing, command-line, library-loading, and credential-store access telemetry where feasible.
- Enforce or strengthen controls that restrict execution of unsigned or untrusted software, aligned to business and developer requirements.
- Harden privileged and credential-bearing macOS systems with tighter application control, least privilege, and monitoring of administrative scripting.
- Use incident response playbooks that treat suspicious unsigned process access to Keychain or memory as a credential-risk investigation path.
- Maintain evidence of telemetry coverage and exception handling for compliance and control-assurance reviews.
Analyst notes and limits
AN0650 is a detection analytic in the enterprise ATT&CK domain for macOS. The supplied description points to credential-access-relevant behavior, but no ATT&CK tactic, technique relationship, or official detection logic was provided. Use it as a coverage assessment and detection-engineering prompt, not as a complete rule.
The object contains a short description only, with no official detection text, no relationship context, and no specified tactics. Local telemetry quality, macOS logging configuration, EDR capability, and approved unsigned software inventory will determine whether this can be implemented reliably.
Analytic 0650
Unsigned processes accessing system memory or launching known credential scraping tools (e.g., osascript, dylib injections) to access the Keychain or sensitive memory regions.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3334dd5db756… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0650Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.