Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0700: Analytic 0700

Execution of Homebrew, pip3, npm, or manually downloaded PKGs from Terminal or shell, followed by the creation of startup agents, interpreter spawns, or outbound connections to unfamiliar domains. Defender links Terminal commands to plist creation, unsigned binary launches, and `python3` or `node` processes connecting to remote endpoints.

EnterpriseAN0700AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it focuses on a common macOS risk pattern: software installation or package execution from Terminal or a shell, followed by persistence-like startup agent creation, interpreter activity, or outbound network connections to unfamiliar domains. For leaders, the decision value is whether the organization can connect endpoint activity, process lineage, file creation, code-signing status, and network destinations quickly enough to separate legitimate developer/admin work from suspicious post-install behavior.

Executive priority

Prioritize this as a macOS endpoint visibility and response-readiness question. The business risk is not the package managers themselves, but weak visibility into what happens after software execution: creation of startup agents, unsigned binary launches, and remote connections by python3 or node. Security leaders should ask whether SOC coverage includes macOS Terminal-driven activity, whether developer and admin exceptions are documented, and whether incident responders can prove what was installed, what persisted, and what communicated externally.

Technical view

Validate that macOS telemetry can link Terminal or shell commands involving Homebrew, pip3, npm, or manually downloaded PKGs to subsequent plist creation, unsigned binary execution, interpreter spawns, and outbound connections. Because no ATT&CK detection logic or relationships are supplied, teams should treat this as a detection-design pattern rather than a complete rule. Useful validation should focus on process ancestry, command-line context, file creation paths for startup agents, code-signing state, and network connections from python3 or node to domains that are not expected for the host or user role.

Likely telemetry

  • macOS process creation events with command line and parent-child relationships
  • Terminal or shell execution history where centrally collected
  • File creation or modification events for plist/startup agent artifacts
  • Code-signing or binary reputation metadata for launched executables
  • Network connection telemetry including process name, destination domain, and remote endpoint

Detection direction

  • Correlate package manager or PKG execution from Terminal/shell with near-term startup agent plist creation, unsigned binary launch, interpreter spawn, or outbound connection behavior.
  • Tune carefully for developer, build, IT administration, and endpoint management workflows, where Homebrew, pip3, npm, python3, and node may be normal.
  • Use allowlists or baselines for expected domains and repositories, but avoid assuming all unfamiliar domains are malicious without environment context.
  • Prioritize detections that preserve the chain of evidence: initiating user, parent process, command line, created plist, launched binary, interpreter process, and destination domain.
  • Check for blind spots in macOS fleets, especially hosts without endpoint telemetry, incomplete command-line capture, missing DNS/process correlation, or limited code-signing visibility.

Mitigation priorities

  • Establish macOS endpoint logging requirements that capture process lineage, file creation, code-signing status, and network destinations.
  • Define approved software installation and package management practices for developer and administrator systems.
  • Maintain baselines for expected package repositories, domains, interpreters, and startup agent behavior by user role or device group.
  • Ensure incident response playbooks can collect installed package evidence, plist artifacts, launched binaries, interpreter activity, and outbound connection records.
  • Use policy and control reviews to reduce unmanaged software execution paths where business requirements allow.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for macOS, not a technique, and no tactics, relationships, or official detection section were provided. The strongest use is as a coverage validation prompt for macOS SOC engineering and IR readiness around Terminal-driven software execution followed by persistence-like or network behaviors.

This take is limited to the supplied STIX fields and external reference. It does not establish adversary attribution, active exploitation, prevalence, impact, or guaranteed detection. Local baselines are required to distinguish suspicious activity from legitimate developer, administrator, or software management behavior.

Official MITRE ATT&CK definition

Analytic 0700

Execution of Homebrew, pip3, npm, or manually downloaded PKGs from Terminal or shell, followed by the creation of startup agents, interpreter spawns, or outbound connections to unfamiliar domains. Defender links Terminal commands to plist creation, unsigned binary launches, and `python3` or `node` processes connecting to remote endpoints.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a2d7cfa8ddfecad1...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a2d7cfa8ddfe…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0700
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use