AN0726: Analytic 0726
Detects staged data aggregated in /Users/Shared, /private/tmp with compression tools like ditto or zip, initiated via Terminal or AppleScript.
Analyst context for executives and security teams
This analytic is about spotting macOS activity where data appears to be gathered in common shared or temporary locations and compressed with tools such as ditto or zip, especially when launched from Terminal or AppleScript. For leaders, the value is not that those tools are inherently malicious, but that this pattern can indicate data staging before movement or removal and should be visible to the SOC on managed macOS endpoints.
Executive priority
Prioritize this as a macOS data-protection and incident-readiness validation item. Ask whether the organization can prove, with endpoint telemetry, when archives are created in /Users/Shared or /private/tmp and which user, process, or script initiated them. This helps support incident scoping, insider-risk review, audit evidence for endpoint monitoring, and business continuity decisions when sensitive data handling is in question.
Technical view
Validate detection coverage on macOS for compression activity involving ditto or zip where source or output paths include /Users/Shared or /private/tmp, with emphasis on executions initiated by Terminal or AppleScript. Because ATT&CK provides no official detection logic for this analytic, teams should build and tune detections around process execution, command-line content, parent process context, and file creation events for archive artifacts in those paths. Treat the analytic as context-driven: legitimate admin, developer, installer, and user archive activity may occur in the same locations.
Likely telemetry
- macOS process execution events for ditto, zip, Terminal, and AppleScript-related execution
- Command-line arguments showing archive creation and referenced paths
- File creation, modification, and rename events in /Users/Shared and /private/tmp
- Archive file metadata such as filename, path, owner, timestamp, and size
- Parent-child process relationships showing Terminal or AppleScript initiation
Detection direction
- Confirm that macOS endpoint telemetry includes command-line capture and parent process context; without those fields, this analytic may be difficult to distinguish from normal compression use.
- Tune for archive creation in /Users/Shared and /private/tmp rather than generic zip or ditto execution alone to reduce false positives.
- Review baselines for developers, administrators, installers, and automation that legitimately use temporary/shared paths and compression utilities.
- Correlate archive creation with unusual user context, unexpected script execution, large archive size, repeated staging, or activity outside normal administrative workflows where local telemetry supports it.
- Document that tactics and relationship context were not supplied for this object, so local incident context is required before escalating severity.
Mitigation priorities
- Ensure managed macOS endpoints collect process, command-line, and file activity telemetry needed to investigate archive creation in shared and temporary paths.
- Apply least-privilege and endpoint hardening practices so users and scripts have only the access needed for their roles.
- Use data handling controls and monitoring for sensitive repositories so suspicious local staging can be investigated with business context.
- Establish SOC triage guidance for distinguishing legitimate compression activity from suspicious staging behavior.
- Preserve endpoint evidence quickly during response because temporary directories may be cleaned or overwritten.
Analyst notes and limits
This Glexia take is based on the supplied ATT&CK analytic description only: macOS detection of staged data aggregated in /Users/Shared or /private/tmp using compression tools such as ditto or zip, initiated via Terminal or AppleScript. No ATT&CK relationships, tactics, aliases, or official detection logic were supplied.
Coverage and severity depend on local macOS telemetry quality, command-line visibility, endpoint management scope, and knowledge of legitimate administrative or user workflows. This object does not support claims about active exploitation, attribution, business impact, or guaranteed detection.
Analytic 0726
Detects staged data aggregated in /Users/Shared, /private/tmp with compression tools like ditto or zip, initiated via Terminal or AppleScript.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b949e71c3524… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0726Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.