Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0833: Analytic 0833

Detects invocation of macOS-native archiving utilities (zip, ditto, hdiutil) or openssl used for encryption. Correlates execution with archive or encrypted file creation (.zip, .dmg, .tar.gz) in user or temporary directories. Identifies anomalous use of archiving commands by Office applications or daemons.

EnterpriseAN0833AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because macOS-native tools can be used to package or encrypt data in places where users and applications commonly write files. For leaders, the value is not simply detecting zip, ditto, hdiutil, or openssl activity; it is validating whether the organization can distinguish normal user archiving from unusual archive or encrypted file creation by Office applications, daemons, or activity in user and temporary directories.

Executive priority

Prioritize this as a macOS visibility and incident-readiness check. If the business relies on macOS endpoints, security leaders should confirm that endpoint telemetry can show command execution and resulting archive or encrypted file creation. This supports faster triage, better evidence for investigations, and more defensible control coverage discussions. Because no ATT&CK relationships or tactic mappings are supplied, treat this as a detection validation item rather than proof of a specific threat scenario.

Technical view

For SOC, detection engineering, and IR teams, validate correlation between macOS process execution for zip, ditto, hdiutil, and openssl and creation of archive or encrypted file types such as .zip, .dmg, and .tar.gz in user or temporary directories. Tune for anomalous parent processes, especially Office applications or daemons invoking these utilities. Because the official detection field is not provided, teams should implement and test the concept against local baseline behavior rather than assume a complete analytic exists.

Likely telemetry

  • macOS process execution events including command line, executable name, parent process, user, and working directory
  • File creation events for archive or encrypted file extensions such as .zip, .dmg, and .tar.gz
  • Directory context for user profile paths and temporary directories
  • Parent-child process relationships involving Office applications, daemons, and macOS-native archiving or encryption utilities
  • Timestamp correlation between utility execution and file creation

Detection direction

  • Baseline normal macOS archiving activity by users, IT tools, backup workflows, and software packaging processes before escalating alerts broadly.
  • Prioritize unusual parent processes, especially Office applications or daemons launching zip, ditto, hdiutil, or openssl.
  • Correlate process execution with near-time creation of archive or encrypted files in user or temporary directories.
  • Review false positives from legitimate helpdesk, deployment, development, and administrative workflows that use native macOS utilities.
  • Identify blind spots where endpoint tooling records process starts but not file creation, command line arguments, parent process, or temporary directory activity.

Mitigation priorities

  • Ensure macOS endpoints are covered by endpoint logging capable of process and file creation visibility.
  • Define acceptable business uses for native archiving and encryption utilities and document expected administrative workflows.
  • Harden and monitor applications or services that should not normally spawn archiving or encryption utilities.
  • Use detection testing to confirm that Office-application or daemon-initiated archive creation is visible to the SOC.
  • Include this evidence path in incident response playbooks for macOS investigations involving suspicious archive or encrypted file creation.
Analyst notes and limits

The supplied object is a detection analytic for macOS. It describes native archiving utilities and openssl, file creation patterns, and anomalous parent-process context. No ATT&CK tactic, technique relationship, group, software, campaign, or mitigation relationship was supplied, so this take focuses on defensive validation and telemetry readiness.

The official detection content is not provided, and there are no relationship objects. Local baselines are required to separate legitimate archiving, administrative activity, and software workflows from suspicious behavior. This summary does not infer active exploitation, attribution, impact, or coverage beyond the supplied ATT&CK fields.

Official MITRE ATT&CK definition

Analytic 0833

Detects invocation of macOS-native archiving utilities (zip, ditto, hdiutil) or openssl used for encryption. Correlates execution with archive or encrypted file creation (.zip, .dmg, .tar.gz) in user or temporary directories. Identifies anomalous use of archiving commands by Office applications or daemons.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
dbbc28e3e6c230d4...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle dbbc28e3e6c2…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0833
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use