AN0874: Analytic 0874
Detection of HTML-based downloads via Safari/Chrome that create obfuscated files (e.g., .zip, .app, .js) in user directories and are followed by suspicious executions from preview or launch services.
Analyst context for executives and security teams
This analytic matters because it focuses on a common business risk pattern on macOS: browser-delivered files landing in user directories and then being executed through normal macOS user-facing services. For leaders, the key question is not whether Safari or Chrome downloads are logged in theory, but whether the organization can connect download creation, suspicious file naming or obfuscation, and follow-on execution quickly enough to support containment and incident response decisions.
Executive priority
Prioritize validation where macOS endpoints are material to business operations, privileged users, developers, or sensitive workflows. This behavior can test whether endpoint telemetry, SOC triage, and IR playbooks can trace a browser download into execution without relying on attribution or malware naming. It is also useful as audit evidence for endpoint monitoring coverage and operational readiness on macOS, especially where user-driven downloads are a known exposure path.
Technical view
For macOS, validate whether security tooling can correlate Safari or Chrome HTML-based downloads that create obfuscated files such as .zip, .app, or .js in user directories with subsequent execution activity involving preview or launch services. Because ATT&CK does not provide a formal detection query for this analytic, teams should treat AN0874 as a detection engineering requirement: confirm the data model, event timing, file path visibility, process lineage, and user context needed to connect file creation to later execution.
Likely telemetry
- macOS endpoint file creation events in user directories
- Browser download activity from Safari and Chrome
- File metadata including extension, path, filename, and quarantine or download-related attributes where available
- Process execution events for downloaded files
- Parent-child process relationships involving browser, preview, and launch services activity
Detection direction
- Validate correlation between browser-originated file creation and later execution rather than alerting only on downloads or only on process starts.
- Tune for suspicious combinations: user-directory downloads, obfuscated or unexpected filenames, risky extensions such as .zip, .app, or .js, and execution through preview or launch services.
- Account for false positives from legitimate software downloads, enterprise installers, developer workflows, and normal document preview behavior.
- Check blind spots in macOS logging, especially whether browser download events, file creation, and launch services execution are all retained and searchable with consistent timestamps.
- Because no ATT&CK relationship context or detection logic is supplied, map local detections to this analytic using observed telemetry rather than assuming coverage from endpoint product claims.
Mitigation priorities
- Ensure macOS endpoint monitoring is deployed and collecting file creation and process execution telemetry for user directories.
- Harden policies around execution of downloaded applications or scripts where business operations allow.
- Review browser download handling and user education controls for high-risk macOS user groups.
- Maintain incident response procedures for tracing downloaded files from origin to execution and scoping affected users or hosts.
- Use this analytic as a validation case in managed detection, SOC tuning, and compliance evidence for macOS endpoint visibility.
Analyst notes and limits
AN0874 is a detection analytic, not a technique description, and the supplied object has no tactics, relationships, aliases, or official detection query. The most defensible use is as a coverage validation prompt for macOS browser-download-to-execution behavior involving Safari or Chrome, user directories, obfuscated downloaded files, and preview or launch services.
The source fields do not provide active exploitation claims, threat actor attribution, impact details, data sources, detection logic, or related ATT&CK techniques. Local telemetry, endpoint configuration, and business context are required to determine actual exposure, detection quality, and response priority.
Analytic 0874
Detection of HTML-based downloads via Safari/Chrome that create obfuscated files (e.g., .zip, .app, .js) in user directories and are followed by suspicious executions from preview or launch services.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 34add8ab11a5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0874Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.