Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0799: Analytic 0799

Cause→effect chain: (1) App crash/abnormal termination in unified logs for Safari/Chrome/Office/Preview, (2) new files/scripts in ~/Library, ~/Downloads, /private/var/folders/*, (3) unexpected child (osascript, zsh, bash, curl) spawned by those apps, (4) new outbound connections.

EnterpriseAN0799AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it looks for a suspicious sequence on macOS: a common user-facing app crashes or terminates abnormally, files or scripts appear in user-writable locations, the app spawns unusual command-line children, and outbound network activity follows. For leaders, the value is not the individual events alone; it is whether the organization can connect endpoint, file, process, and network evidence quickly enough to decide whether a macOS workstation incident is isolated noise or requires response.

Executive priority

Prioritize this as a macOS endpoint visibility and response-readiness validation. The analytic can help test whether SOC and IR teams have the evidence needed to investigate suspicious activity involving Safari, Chrome, Office, or Preview without relying on a single alert. It is especially useful for control-gap discussions around macOS logging, EDR coverage, user-writable directories, and evidence retention for incident and compliance needs.

Technical view

Validate whether macOS telemetry can correlate the described cause-and-effect chain: unified log evidence of app crash or abnormal termination, file or script creation in ~/Library, ~/Downloads, and /private/var/folders/*, unexpected child processes such as osascript, zsh, bash, or curl spawned by Safari, Chrome, Office, or Preview, and new outbound connections. Because no official detection logic is provided, teams should build and tune correlation logic around event ordering, parent-child process relationships, file paths, and network timing rather than treating any single event as conclusive.

Likely telemetry

  • macOS unified logs showing application crash or abnormal termination events
  • Endpoint process creation telemetry with parent-child relationships
  • File creation or modification telemetry for ~/Library, ~/Downloads, and /private/var/folders/*
  • Command-line telemetry for osascript, zsh, bash, curl, and related spawned processes
  • Network connection telemetry from the endpoint, including new outbound destinations

Detection direction

  • Confirm that macOS unified log collection is available, retained, and searchable for the named applications.
  • Correlate multiple weak signals in sequence: abnormal app termination, new user-writable files or scripts, unexpected child process execution, and outbound connection activity.
  • Tune for legitimate software update, browser helper, document workflow, and user automation activity that may create files, spawn shell tools, or connect outbound.
  • Prioritize parent-child process validation: Safari, Chrome, Office, or Preview spawning osascript, zsh, bash, or curl should receive higher scrutiny when paired with recent crash and file-write context.
  • Test whether telemetry from temporary and user directories is complete; these locations are common blind spots due to volume, privacy constraints, or endpoint logging exclusions.

Mitigation priorities

  • Ensure managed macOS endpoints collect endpoint process, file, unified log, and network telemetry at sufficient fidelity for investigation.
  • Harden and monitor execution from user-writable and temporary locations where operationally feasible.
  • Review controls around scripting and shell execution launched from user-facing applications.
  • Maintain incident response playbooks for triaging correlated macOS endpoint events, including file capture, process ancestry review, and network destination assessment.
  • Use this analytic as a validation scenario for macOS EDR/SOC coverage rather than as a standalone prevention control.
Analyst notes and limits

The supplied object is a detection analytic for macOS with no tactic mapping, no relationships, and no official detection logic beyond the descriptive cause-effect chain. The strongest defensive use is as a correlation and telemetry-validation pattern for macOS investigations.

No relationship context, attribution, active exploitation claim, or ATT&CK tactic is supplied. Local baselining is required to distinguish suspicious parent-child process and file-write sequences from legitimate browser, Office, Preview, update, or automation behavior.

Official MITRE ATT&CK definition

Analytic 0799

Cause→effect chain: (1) App crash/abnormal termination in unified logs for Safari/Chrome/Office/Preview, (2) new files/scripts in ~/Library, ~/Downloads, /private/var/folders/*, (3) unexpected child (osascript, zsh, bash, curl) spawned by those apps, (4) new outbound connections.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
4deb675788e749b1...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 4deb675788e7…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0799
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use