Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0964: Analytic 0964

User pastes an obfuscated command into Terminal.app/iTerm2 that decodes or downloads code and executes. Detects Terminal/iTerm2 spawning bash/zsh/python with suspicious pipeline/base64 patterns followed by file writes in ~/Library or /tmp and outbound network connections.

EnterpriseAN0964AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about a common macOS execution pattern: a user pastes an obfuscated command into Terminal.app or iTerm2, which then decodes or downloads code, writes files in user-writable locations such as ~/Library or /tmp, and makes outbound network connections. For leaders, the practical issue is not just “suspicious command line activity,” but whether the organization can prove it has enough macOS endpoint, shell, file, and network visibility to recognize risky pasted-command execution before it becomes an incident-response blind spot.

Executive priority

Prioritize this as a macOS endpoint and SOC readiness question. If macOS systems are in scope for business operations, development, administration, or executive use, security leaders should ask whether monitoring covers Terminal/iTerm2-launched interpreters, suspicious encoded or piped command patterns, file creation in user-writable paths, and related outbound connections. This also supports audit and incident decision-making by showing whether the organization can reconstruct user-initiated command execution on macOS endpoints.

Technical view

Validate coverage for macOS process chains where Terminal.app or iTerm2 spawns bash, zsh, or python with suspicious pipeline or base64-like decoding patterns, followed by writes to ~/Library or /tmp and outbound network activity. Because the official detection text is not provided and no ATT&CK relationships are supplied, teams should treat this as a behavioral validation target rather than a complete rule. Tune around legitimate administrative, developer, and automation activity that may use shells, interpreters, pipes, downloads, or temporary directories.

Likely telemetry

  • macOS process creation events with parent-child relationships
  • Command-line arguments for Terminal.app, iTerm2, bash, zsh, and python
  • File creation or modification events in ~/Library and /tmp
  • Outbound network connection telemetry tied to process identity
  • Endpoint security or EDR events capable of correlating process, file, and network activity on macOS

Detection direction

  • Confirm that Terminal.app and iTerm2 process ancestry is captured, not just the child shell or interpreter.
  • Look for combined behavior: suspicious encoded or piped shell/interpreter commands, file writes in ~/Library or /tmp, and outbound network connections.
  • Correlate process, file, and network events in a short time window to reduce false positives from normal shell usage.
  • Review benign baselines for developers, administrators, and automation workflows that may use bash, zsh, python, pipes, downloads, or temporary file paths.
  • Document gaps where macOS command-line arguments, file writes, or process-attributed network telemetry are unavailable.

Mitigation priorities

  • Ensure managed macOS endpoints have telemetry collection capable of process, command-line, file, and network correlation.
  • Limit unnecessary use of unmanaged terminal or interpreter workflows where policy allows, especially on high-risk or sensitive systems.
  • Apply least-privilege and endpoint hardening controls so user-initiated scripts have reduced ability to persist or modify sensitive locations.
  • Use user awareness and response playbooks for suspicious pasted-command scenarios without relying on awareness as the primary control.
  • Feed confirmed detection gaps into macOS endpoint monitoring, incident response, and compliance evidence plans.
Analyst notes and limits

AN0964 is a detection analytic for macOS focused on Terminal.app/iTerm2 launching bash, zsh, or python with suspicious obfuscation, decoding, pipeline, file-write, and outbound-network behavior. No tactics, relationships, aliases, or official detection logic were supplied, so this take emphasizes validation of telemetry and correlation rather than a specific ATT&CK technique mapping.

The supplied ATT&CK object does not include official detection logic, tactic mapping, related techniques, procedures, mitigations, or adversary relationships. Local environment baselines are required to distinguish suspicious pasted-command behavior from legitimate administrative or development activity.

Official MITRE ATT&CK definition

Analytic 0964

User pastes an obfuscated command into Terminal.app/iTerm2 that decodes or downloads code and executes. Detects Terminal/iTerm2 spawning bash/zsh/python with suspicious pipeline/base64 patterns followed by file writes in ~/Library or /tmp and outbound network connections.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
28b786d56d14b085...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 28b786d56d14…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0964
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use