Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0864: Analytic 0864

A tampered app/pkg/notarized update is installed via installer, softwareupdated, Homebrew, or vendor updater; new Mach-O or bundle contents appear in /Applications, /Library, /usr/local or /opt/homebrew; first run spawns sh/zsh/osascript/curl and makes egress to unfamiliar domains; AMFI/Gatekeeper may log signature/notarization problems.

EnterpriseAN0864AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because a compromised or tampered macOS application update can turn normal software maintenance into an initial execution path. For leaders, the key issue is not just malware detection; it is whether the organization can prove that macOS software changes, first-run behavior, code-signing problems, and unexpected network egress are visible and reviewable.

Executive priority

Prioritize this where macOS endpoints support privileged users, developers, administrators, or regulated workflows. The business decision is whether endpoint monitoring, software inventory, update governance, and incident response evidence are strong enough to distinguish legitimate app updates from suspicious new Mach-O files or bundles that immediately launch shells, AppleScript, curl, or unfamiliar outbound connections.

Technical view

Validate macOS coverage for software installation and update paths involving installer, softwareupdated, Homebrew, and vendor updaters. Focus on new or modified Mach-O binaries and bundle contents in /Applications, /Library, /usr/local, and /opt/homebrew, then correlate first-run process trees with sh, zsh, osascript, or curl execution and outbound connections to unfamiliar domains. Review AMFI and Gatekeeper logging for signature or notarization problems. No ATT&CK tactics or separate official detection logic were supplied, so local analytic design must be based on the object description and environment baselines.

Likely telemetry

  • macOS endpoint process creation events, including parent-child relationships
  • File creation and modification events for /Applications, /Library, /usr/local, and /opt/homebrew
  • Software installation and update activity from installer, softwareupdated, Homebrew, and vendor updaters
  • Code-signing, notarization, AMFI, and Gatekeeper logs or alerts
  • Network connection and DNS telemetry for first-run application egress

Detection direction

  • Correlate new application or package content with first execution behavior rather than alerting on installation alone.
  • Baseline legitimate updater behavior for Homebrew, vendor updaters, and Apple software updates to reduce false positives.
  • Flag first-run spawning of sh, zsh, osascript, or curl when paired with newly installed app or bundle content.
  • Review unfamiliar outbound domains from newly installed or recently updated applications.
  • Check whether AMFI/Gatekeeper signature or notarization issues are collected centrally; these are common blind spots on macOS.

Mitigation priorities

  • Strengthen macOS software governance for approved installation sources, update mechanisms, and administrative permissions.
  • Centralize macOS endpoint, Gatekeeper, AMFI, software update, and network telemetry needed to investigate suspicious app updates.
  • Maintain software inventory and change records so SOC and IR teams can compare observed installs against expected business activity.
  • Use code-signing and notarization validation as an investigation input, while recognizing that the supplied object describes tampered app/pkg/notarized update scenarios and does not provide a complete prevention control.
  • Prepare IR procedures for isolating affected macOS hosts, preserving installer/update artifacts, and reviewing first-run process and egress evidence.
Analyst notes and limits

This is a detection analytic object for macOS, external ID AN0864, associated with MITRE detection strategy URL https://attack.mitre.org/detectionstrategies/DET0309#AN0864. There are no supplied relationships, aliases, labels, or tactics, and the official detection field is not provided. The take therefore emphasizes validation of telemetry and correlation logic directly supported by the description.

The supplied ATT&CK data does not identify associated techniques, adversaries, campaigns, impact, active exploitation, or guaranteed detection methods. Environment-specific baselines are required to distinguish legitimate software updates from suspicious behavior.

Official MITRE ATT&CK definition

Analytic 0864

A tampered app/pkg/notarized update is installed via installer, softwareupdated, Homebrew, or vendor updater; new Mach-O or bundle contents appear in /Applications, /Library, /usr/local or /opt/homebrew; first run spawns sh/zsh/osascript/curl and makes egress to unfamiliar domains; AMFI/Gatekeeper may log signature/notarization problems.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
dead259583d0b29f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle dead259583d0…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0864
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use