AN0938: Analytic 0938
Correlation of package install event with execution of postinstall scripts containing unknown binaries or abnormal CLI usage. Look for `/usr/sbin/installer` execution followed by child processes originating from postinstall script.
Analyst context for executives and security teams
This analytic matters because macOS installer packages can run postinstall scripts, and those scripts may launch binaries or command-line activity that is unusual for a normal software install. For leaders, the decision value is whether endpoint logging and SOC processes can distinguish routine package deployment from installer-driven execution that may require investigation.
Executive priority
Prioritize validation where macOS systems are material to business operations, privileged user workflows, or regulated endpoints. The key business question is whether the organization can produce evidence of package installation activity, child process execution from postinstall scripts, and abnormal command-line behavior during an incident or audit. This supports incident triage, endpoint control assurance, and compliance evidence around software installation monitoring.
Technical view
For SOC and detection teams, validate telemetry around `/usr/sbin/installer` on macOS and correlate installer execution with child processes that originate from postinstall scripts. Focus on cases where the script launches unknown binaries or uses command-line patterns that are abnormal for approved software deployment. Because no ATT&CK tactic or formal detection logic is supplied, local baselining of legitimate package management behavior is required before alert severity can be tuned reliably.
Likely telemetry
- macOS process creation events
- Command-line arguments for `/usr/sbin/installer` and descendant processes
- Parent-child process relationships involving installer and postinstall script activity
- Package installation events
- Script execution telemetry tied to postinstall actions
Detection direction
- Confirm that endpoint telemetry captures process lineage from `/usr/sbin/installer` through postinstall script-spawned child processes.
- Baseline approved macOS software deployment tools and expected postinstall script behavior to reduce false positives.
- Flag postinstall activity that launches unknown binaries, unusual paths, or abnormal CLI usage relative to known installer packages.
- Review whether detections preserve enough context for IR: package name, installer command line, child process tree, binary location, user context, and timestamps.
- Account for blind spots where macOS process command lines, script contents, or package install events are not centrally collected.
Mitigation priorities
- Establish or validate an approved software installation process for macOS endpoints.
- Ensure endpoint monitoring records package installation events and descendant process execution.
- Use application control, software allowlisting, or managed deployment controls where appropriate to reduce unapproved installer execution.
- Document normal installer and postinstall behavior for business-critical macOS applications to support faster SOC triage.
- Include macOS installer telemetry in incident response evidence requirements and compliance control testing.
Analyst notes and limits
The supplied object is a detection analytic for macOS focused on correlating package install events with postinstall script execution and suspicious child processes. No ATT&CK tactics, relationships, aliases, labels, or separate official detection content were supplied, so this take emphasizes validation and operational readiness rather than adversary attribution or impact claims.
This assessment is limited to the official STIX fields and external reference provided. It does not establish active exploitation, threat actor usage, business impact, or guaranteed detection coverage. Organizations must validate relevance against their own macOS fleet, software deployment methods, endpoint telemetry, and approved installer behavior.
Analytic 0938
Correlation of package install event with execution of postinstall scripts containing unknown binaries or abnormal CLI usage. Look for `/usr/sbin/installer` execution followed by child processes originating from postinstall script.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8f6d7858348d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0938Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.