AN0749: Analytic 0749
Detects malicious archiving via system or third-party libraries (libz, libarchive) invoked by Python, Swift, or Objective-C binaries. Correlates unified logs of library loads with creation of compressed or encrypted archives (.zip, .gz, .bz2, .dmg).
Analyst context for executives and security teams
AN0749 is a macOS-focused detection analytic for suspicious archive creation using system or third-party compression libraries, especially when invoked by Python, Swift, or Objective-C binaries. Its business value is in validating whether the organization can see potentially unauthorized packaging of files before movement, staging, or other follow-on activity, without assuming the analytic proves malicious intent by itself.
Executive priority
Security leaders should treat this as a coverage validation item for macOS fleets where sensitive data may be compressed into .zip, .gz, .bz2, or .dmg files. The priority question is whether SOC and incident response teams have enough endpoint and unified log visibility to distinguish normal software packaging or user activity from unusual archive creation that may require investigation. This supports resilience, data protection, and audit evidence around endpoint monitoring, but the supplied ATT&CK object does not define a tactic, impact, or active threat relationship.
Technical view
For SOC and detection engineering teams, validate collection of macOS unified logs showing library loads for libz or libarchive and correlate those events with creation of compressed or encrypted archive files. Focus scope on Python, Swift, and Objective-C binaries as described by the analytic. Because no official detection logic is supplied, teams should define local baselines for legitimate archiving behavior, developer tooling, backup utilities, installers, and administrative scripts before alerting broadly.
Likely telemetry
- macOS unified logs for library load activity
- Process execution metadata for Python, Swift, and Objective-C binaries
- File creation events for .zip, .gz, .bz2, and .dmg archives
- Endpoint metadata linking process, user, host, library load, and file path
- Archive creation timestamps suitable for correlation with library load events
Detection direction
- Confirm that macOS unified logs are collected and retained at a level sufficient to observe libz or libarchive loads.
- Correlate library loads by Python, Swift, or Objective-C binaries with near-time creation of compressed or encrypted archive files.
- Tune against expected archive creation from installers, developer workflows, backup processes, packaging tools, and administrative automation.
- Prioritize unusual users, hosts, paths, archive names, or archive creation outside normal business or operational patterns.
- Avoid treating archive creation alone as malicious; require context from process lineage, user behavior, file location, and local baselines.
Mitigation priorities
- Establish macOS endpoint logging and retention requirements before relying on this analytic.
- Baseline approved archive creation workflows and document expected tools, users, and directories.
- Restrict or review unnecessary scripting and development tooling on systems where it is not business-required.
- Ensure incident response playbooks include triage steps for suspicious archive creation, including user, process, file path, and timing review.
- Use the analytic as supporting evidence for monitoring coverage rather than as a standalone control or guaranteed prevention mechanism.
Analyst notes and limits
This object is a detection analytic, not a technique description. The supplied fields support macOS only and specifically mention libz, libarchive, Python, Swift, Objective-C, unified logs, and archive extensions .zip, .gz, .bz2, and .dmg. No relationship context, tactic mapping, or official detection query is provided, so implementation must be adapted and validated locally.
The ATT&CK object provides a high-level analytic description but no official detection logic, no tactic, no related techniques, and no relationships. It does not support claims about active exploitation, attribution, prevalence, impact, or guaranteed detection coverage. Local telemetry quality and baseline knowledge determine practical value.
Analytic 0749
Detects malicious archiving via system or third-party libraries (libz, libarchive) invoked by Python, Swift, or Objective-C binaries. Correlates unified logs of library loads with creation of compressed or encrypted archives (.zip, .gz, .bz2, .dmg).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e5980b0ad417… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0749Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.