AN0789: Analytic 0789
Processes such as osascript, curl, or office applications sending data to text storage APIs/domains. Defender perspective: anomalous clipboard or file reads by unexpected applications immediately followed by outbound HTTPS requests to pastebin-like services.
Analyst context for executives and security teams
This analytic highlights a macOS data-exposure pattern: applications such as osascript, curl, or office apps reading clipboard or file content and then sending data over HTTPS to pastebin-like text storage services. For leaders, the value is not that every such connection is malicious, but that this behavior can indicate unsanctioned data movement from endpoints using ordinary tools and common web destinations.
Executive priority
Prioritize this as a data-loss and incident-triage use case for macOS environments. Security leaders should ask whether endpoint, network, and web telemetry can connect local data access events to outbound HTTPS traffic, and whether acceptable-use, DLP, and investigation processes cover text storage APIs/domains. This is relevant to compliance evidence and incident decision-making because the key question is whether the organization can prove what data was accessed, by which process, and where it was sent.
Technical view
For SOC and detection engineering teams, validate coverage on macOS for unexpected applications performing clipboard or file reads followed closely by outbound HTTPS requests to pastebin-like services. Focus on process context for osascript, curl, and office applications, command/process lineage where available, file or clipboard access evidence, destination domain categorization, and timing correlation. Because ATT&CK provides no tactic assignment, no official detection logic, and no relationship context for this analytic, local baselining is required to separate legitimate automation or user workflows from suspicious data staging or exfiltration-like behavior.
Likely telemetry
- macOS endpoint process execution events
- Process lineage and parent-child relationships for osascript, curl, and office applications
- File read activity by process where available
- Clipboard access activity by process where available
- Outbound HTTPS connection metadata
Detection direction
- Correlate anomalous clipboard or file reads by unexpected macOS applications with near-term outbound HTTPS requests to pastebin-like services.
- Baseline legitimate use of curl, osascript, office applications, developer tooling, and approved automation to reduce false positives.
- Tune destination logic around text storage APIs/domains rather than relying only on single-domain blocklists.
- Review whether encrypted HTTPS limits content visibility and whether proxy, endpoint, or DLP metadata can still support investigation.
- Treat alerts as investigation leads requiring process, user, file, and destination context; the supplied ATT&CK object does not provide a ready-made detection rule.
Mitigation priorities
- Confirm macOS endpoint monitoring captures process execution, file or clipboard access where feasible, and network connection metadata.
- Define policy for approved and unapproved text storage services, including web filtering or DLP controls where appropriate.
- Limit or monitor risky script and command-line tool usage in sensitive user groups or data-handling environments.
- Ensure incident response playbooks can preserve endpoint, proxy, DNS, and DLP evidence needed to determine what data may have been sent.
- Use user and application baselines before enforcing controls broadly to avoid disrupting legitimate business workflows.
Analyst notes and limits
This take is based on ATT&CK analytic AN0789 for macOS. The object describes a behavioral pattern involving osascript, curl, office applications, clipboard or file reads, and outbound HTTPS to pastebin-like services. No tactics, relationships, aliases, labels, or official detection logic were supplied.
Coverage and risk depend heavily on the local macOS fleet, logging depth, proxy/DLP visibility, and whether the organization can observe clipboard or file-read activity by process. The supplied fields do not support claims about active exploitation, attribution, impact, or guaranteed detection.
Analytic 0789
Processes such as osascript, curl, or office applications sending data to text storage APIs/domains. Defender perspective: anomalous clipboard or file reads by unexpected applications immediately followed by outbound HTTPS requests to pastebin-like services.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | affa43616c92… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0789Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.