Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0820: Analytic 0820

User opens a downloaded document/installer leading to EndpointSecurity file create in ~/Downloads or ~/Library paths then an exec of a suspicious utility (osascript, bash/zsh, curl, chmod, open with -a Terminal). Correlates File Creation with subsequent process exec and, optionally, quarantine/LSQuarantine events.

EnterpriseAN0820AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because it focuses on a common decision point in macOS defense: a user opens something downloaded, and that file activity is quickly followed by execution of utilities often used to launch scripts, change permissions, fetch content, or open Terminal. For leaders, the value is not in the individual file create event, but in validating whether the organization can connect user-driven downloads to suspicious follow-on execution on macOS endpoints.

Executive priority

Prioritize this as a macOS endpoint visibility and response-readiness check. Security leaders should ask whether managed detection, SOC triage, and incident response teams can reliably see EndpointSecurity file creation in user download/library paths, correlate it with nearby process execution, and preserve enough context to distinguish legitimate software installation from suspicious post-download behavior. This supports operational resilience and audit evidence by showing whether macOS endpoint activity is observable beyond simple malware alerts.

Technical view

For SOC and detection teams, validate collection and correlation for macOS EndpointSecurity file creation events in ~/Downloads and ~/Library paths followed by process execution of utilities named in the analytic: osascript, bash, zsh, curl, chmod, or open with -a Terminal. Where available, include quarantine or LSQuarantine context to help identify downloaded content. Because no ATT&CK tactic or relationship context is supplied, treat this as a detection analytic focused on suspicious macOS post-download execution rather than a complete attack-chain determination.

Likely telemetry

  • macOS EndpointSecurity file creation events
  • File path telemetry for ~/Downloads and ~/Library locations
  • Process execution telemetry including command line and parent/child process context
  • Execution of osascript, bash, zsh, curl, chmod, and open with -a Terminal
  • Optional quarantine or LSQuarantine event data

Detection direction

  • Validate time-window correlation between file creation in user download/library paths and subsequent execution of the specified utilities.
  • Tune for legitimate installers, developer workflows, administrative scripts, and software update activity that may also use shell utilities or chmod.
  • Confirm command-line visibility is sufficient to identify open with -a Terminal and to distinguish benign utility use from suspicious follow-on execution.
  • Use quarantine or LSQuarantine data when present to strengthen confidence that the file originated from a download workflow.
  • Do not treat a single utility execution as conclusive; preserve surrounding file, process, user, and path context for triage.

Mitigation priorities

  • Ensure macOS endpoint telemetry collection includes EndpointSecurity file creation and process execution events.
  • Standardize retention and correlation of file, process, user, and quarantine-related fields for incident response.
  • Review policies and user guidance around downloaded documents and installers, especially where execution of scripts or terminal-launched utilities is allowed.
  • Harden macOS endpoint controls and application execution governance where business workflows permit, without assuming this analytic alone defines malicious activity.
  • Document detection logic, tuning decisions, and response procedures as compliance and readiness evidence.
Analyst notes and limits

The supplied object is a detection analytic, AN0820, for enterprise ATT&CK on macOS. Its practical value is strongest as a validation pattern for post-download execution visibility. There are no supplied relationships, aliases, labels, or tactic mappings, so analysis should remain scoped to the described file-create-to-process-exec correlation.

Official detection content is not provided, and no relationship context is supplied. This take cannot assert specific adversary use, active exploitation, impact, or guaranteed detection. Local macOS telemetry quality, command-line logging, quarantine data availability, and normal software installation patterns are required to determine fidelity.

Official MITRE ATT&CK definition

Analytic 0820

User opens a downloaded document/installer leading to EndpointSecurity file create in ~/Downloads or ~/Library paths then an exec of a suspicious utility (osascript, bash/zsh, curl, chmod, open with -a Terminal). Correlates File Creation with subsequent process exec and, optionally, quarantine/LSQuarantine events.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
8b921dc05cb117cf...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 8b921dc05cb1…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0820
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use