AN0813: Analytic 0813
Execution of renamed or dropped files with a trailing space to deceive users or analysts, especially in LaunchAgents or LaunchDaemons.
Analyst context for executives and security teams
This analytic highlights a macOS deception technique: executing files whose names include a trailing space, especially around LaunchAgents or LaunchDaemons. The business issue is not the filename trick itself; it is whether endpoint, SOC, and incident response processes preserve enough file-path detail to notice subtle naming abuse that can hide persistence-related activity from users and analysts.
Executive priority
Treat this as a macOS visibility and assurance question. Leaders should ask whether managed detection, EDR logging, and IR evidence handling can reliably capture exact file names and paths, including whitespace, for LaunchAgent and LaunchDaemon-related execution. This matters for operational resilience and audit readiness because weak filename normalization or incomplete macOS telemetry can create blind spots even when endpoint tooling is deployed.
Technical view
For macOS environments, validate whether telemetry records execution of renamed or dropped files with exact path fidelity, including trailing spaces. Give particular attention to LaunchAgents and LaunchDaemons because the official description calls them out as a relevant location. Since no ATT&CK tactic, relationship context, or official detection logic is supplied, detection engineering should focus on local baselining and data-quality checks rather than assuming a ready-made analytic.
Likely telemetry
- macOS process execution events with full executable path and command-line details where available
- File creation, rename, and modification events preserving exact filename whitespace
- LaunchAgent and LaunchDaemon plist creation or modification evidence
- Endpoint security or EDR events that distinguish visually similar filenames
- Incident response filesystem collection that preserves raw paths and metadata
Detection direction
- Confirm that log pipelines, SIEM parsing, and case-management displays do not trim or normalize trailing spaces in file paths.
- Look for execution of files with unusual whitespace at the end of the filename, especially when associated with LaunchAgents or LaunchDaemons.
- Baseline legitimate macOS software behavior before alerting broadly, as unusual filename patterns may require local context to separate suspicious activity from administrative or packaging artifacts.
- Test whether analyst search workflows can find and display filenames with trailing spaces; this is a common blind spot for both detection and investigation.
- Because the official detection field is not provided, treat any rule derived from this object as locally developed logic requiring validation and tuning.
Mitigation priorities
- Prioritize macOS endpoint telemetry quality: exact path capture, file event collection, and preservation of whitespace in downstream logging.
- Review LaunchAgent and LaunchDaemon monitoring coverage for creation, modification, and execution-linked activity.
- Harden investigation procedures so IR collections and analyst tooling preserve raw filenames rather than silently normalizing them.
- Use application control, endpoint policy, or change-control processes where appropriate to reduce unauthorized execution from persistence-related locations.
- Document visibility and control validation as compliance evidence for macOS endpoint monitoring and incident readiness.
Analyst notes and limits
The supplied object is a detection analytic, not a technique entry. It provides a concise behavior description for macOS and references LaunchAgents or LaunchDaemons, but it does not supply tactics, related ATT&CK techniques, procedures, data components, or detection pseudocode. Local environment testing is required to determine whether this behavior is visible and actionable.
No relationship context, official detection content, attribution, impact statement, or active exploitation claim was supplied. This take is limited to the official description, platform field, and external reference for AN0813.
Analytic 0813
Execution of renamed or dropped files with a trailing space to deceive users or analysts, especially in LaunchAgents or LaunchDaemons.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 51543abca7bf… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0813Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.