AN0997: Analytic 0997
Detection of execution of legacy scripting runtimes (e.g., older versions of Python, Bash, or PowerShell Core) lacking auditing. Monitoring for changes to EFI or system boot files indicative of downgrade-based persistence or bypass of integrity features.
Analyst context for executives and security teams
AN0997 highlights a macOS detection concern around legacy scripting runtimes and possible changes to EFI or boot-related files. The business issue is not simply that old interpreters exist; it is that older runtimes may lack the auditing needed for reliable investigation, and boot-file changes can affect trust in system startup and integrity controls. Leaders should treat this as a validation point for endpoint visibility and recovery readiness on macOS fleets.
Executive priority
Prioritize this analytic where macOS systems support privileged users, developers, administrators, or business-critical workflows. The key decision value is whether the organization can prove it would notice risky use of legacy scripting runtimes and suspicious EFI or boot-file changes. This supports resilience planning, incident response readiness, endpoint control investment, and audit evidence around system integrity monitoring.
Technical view
For SOC, detection engineering, and IR teams, validate macOS telemetry for execution of older Python, Bash, or PowerShell Core runtimes, especially where those runtimes provide limited auditing. Also validate monitoring for changes to EFI or system boot files that could indicate downgrade-oriented persistence or bypass of integrity features. Because the official object provides no detailed detection logic, teams should baseline legitimate administrative, OS update, and software installation activity before alerting on changes.
Likely telemetry
- macOS process execution telemetry for scripting runtimes
- Command-line and parent-child process context where available
- Interpreter version or binary path information for Python, Bash, and PowerShell Core
- File integrity or endpoint telemetry covering EFI and system boot file paths
- Endpoint security logs related to system integrity or boot-related changes
Detection direction
- Inventory where legacy scripting runtimes are present on macOS and confirm whether their execution is logged with sufficient detail for investigations.
- Tune detections to distinguish routine administration, development workflows, OS updates, and approved software installs from unexpected legacy runtime execution or boot-file modification.
- Validate coverage for EFI and boot-related file changes, not only user-space process activity.
- Correlate boot-file changes with process ancestry, user context, timestamp, and change-management records where available.
- Document blind spots where older runtimes lack audit detail or where endpoint tools do not monitor protected boot-related locations.
Mitigation priorities
- Reduce or remove unsupported legacy scripting runtimes where business use is not justified.
- Standardize approved runtime versions and maintain patching or upgrade expectations for macOS endpoints.
- Restrict administrative access needed to modify EFI or system boot files.
- Implement or validate file integrity monitoring for boot-related locations on macOS systems.
- Ensure incident response procedures include triage of legacy interpreter execution and boot integrity changes.
Analyst notes and limits
This is a detection analytic, not a technique description. The supplied ATT&CK fields identify macOS as the platform and describe detection themes, but no tactics, relationships, or detailed detection logic are provided. Treat AN0997 as a coverage-validation prompt for macOS endpoint logging and boot integrity monitoring.
The official detection field is not provided, and no relationship context is supplied. This take does not infer adversary use, prevalence, specific ATT&CK techniques, or guaranteed detection outcomes. Local macOS build versions, endpoint tooling, logging depth, and administrative workflows are required to determine practical coverage.
Analytic 0997
Detection of execution of legacy scripting runtimes (e.g., older versions of Python, Bash, or PowerShell Core) lacking auditing. Monitoring for changes to EFI or system boot files indicative of downgrade-based persistence or bypass of integrity features.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b8254182b468… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0997Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.