Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0769: Analytic 0769

The adversary invokes built-in scripting or decoding tools like base64, plutil, or AppleScript-based utilities to decode files embedded in staging artifacts. Decoding often occurs post-download or as part of post-exploitation payload deployment via zsh, python, or osascript.

EnterpriseAN0769AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because macOS payload staging often depends on ordinary built-in utilities to unpack or decode content after it has been delivered. For leaders, the risk is not the presence of tools like base64, plutil, zsh, python, or osascript by itself; it is whether the organization can distinguish normal administrative or developer use from suspicious decoding that occurs immediately after download or during payload deployment.

Executive priority

Prioritize this as a visibility and response-readiness question for macOS environments. Security leaders should ask whether endpoint telemetry can show command execution, script interpreters, decoded file creation, and post-download activity with enough context for the SOC to act. Because ATT&CK provides no detection logic for this analytic, teams should treat it as a control validation item rather than assumed coverage.

Technical view

For SOC, detection engineering, and IR teams, validate monitoring for macOS command-line and script execution involving built-in decoding or scripting utilities such as base64, plutil, AppleScript-related utilities, zsh, python, and osascript. Focus on context: execution after file download, execution from staging locations, creation of decoded files, and chaining from shell or script interpreters. Tactics are not specified in the supplied object, so analytics should be mapped locally to observed intrusion phases rather than inferred from ATT&CK metadata.

Likely telemetry

  • macOS process creation and command-line arguments
  • Parent-child process relationships for zsh, python, osascript, base64, plutil, and AppleScript-related utilities
  • File creation or modification events for decoded or staged artifacts
  • Download and quarantine-related file metadata where available
  • Endpoint detection and response events from macOS hosts

Detection direction

  • Confirm that macOS endpoint tooling captures full command-line arguments and parent process context for built-in decoding and scripting utilities.
  • Tune detections around suspicious sequences, such as a downloaded or staged file followed by decoding activity and subsequent execution or file creation.
  • Account for high false-positive potential from legitimate developer, administrator, automation, and packaging workflows that use base64, plutil, python, zsh, or osascript.
  • Use allowlists carefully and prefer behavioral context over blocking or alerting on utility names alone.
  • Because the official detection field is not provided and no relationships are supplied, build and test local logic against known-good macOS workflows before operationalizing alerts.

Mitigation priorities

  • Ensure managed macOS endpoints produce process, command-line, and file telemetry needed for investigation.
  • Harden and monitor script interpreter usage according to business need, especially for osascript, python, and shell execution paths.
  • Review controls around downloaded files and staging locations so decoding activity can be tied back to source artifacts.
  • Create incident response playbooks for suspicious post-download decoding, including artifact collection and containment decision points.
  • Use detection testing to prove whether current EDR/SIEM content can identify decoding followed by payload deployment behavior.
Analyst notes and limits

This object is a MITRE ATT&CK detection analytic for macOS describing adversary use of built-in scripting or decoding tools to decode files embedded in staging artifacts, often after download or during post-exploitation payload deployment. The value for defenders is in validating telemetry and behavioral correlation, not in treating these common utilities as inherently malicious.

The supplied ATT&CK object has no official detection text, no tactics, and no relationship context. This take does not infer attribution, active exploitation, impact, or coverage. Local environment baselines are required to separate legitimate macOS administration and development activity from suspicious decoding behavior.

Official MITRE ATT&CK definition

Analytic 0769

The adversary invokes built-in scripting or decoding tools like base64, plutil, or AppleScript-based utilities to decode files embedded in staging artifacts. Decoding often occurs post-download or as part of post-exploitation payload deployment via zsh, python, or osascript.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b5326eda6ce9ef1b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b5326eda6ce9…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0769
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use