AN1042: Analytic 1042
Execution of file or directory discovery commands (e.g., 'ls', 'find') from terminal or script-based tooling, especially outside normal user workflows.
Analyst context for executives and security teams
This analytic is about spotting macOS terminal or script-driven file and directory discovery, such as use of commands like “ls” or “find,” especially when it happens outside normal user workflows. For leaders, the value is not that these commands are inherently malicious; it is that unusual discovery activity can be an early sign that a user account, endpoint, or script context is being used to understand local files before follow-on action.
Executive priority
Prioritize this as a macOS endpoint visibility and response-readiness question: can the organization distinguish routine administrator or user file browsing from abnormal command-line discovery? This matters for SOC triage quality, incident scoping, and audit evidence around endpoint monitoring. Because the object provides no mitigations, relationships, or threat context, it should inform control validation rather than be treated as proof of a specific campaign or impact scenario.
Technical view
Validate whether macOS telemetry captures terminal and script-based execution of file and directory discovery commands, including command line, process lineage, user, host, working directory, and timing. Detection should focus on context: execution outside expected user workflows, unusual parent processes, automation contexts, abnormal frequency, or activity by accounts that do not normally perform terminal-based discovery. Since no official detection logic is provided, teams should build and tune analytics locally against known administrative, developer, and support workflows.
Likely telemetry
- macOS process creation events
- Command-line arguments for terminal or script-driven commands
- Parent and child process relationships
- User and host identity context
- Working directory or target path context where available
Detection direction
- Confirm command-line telemetry is collected for macOS endpoints; without arguments, commands such as “ls” and “find” may have limited investigative value.
- Tune for abnormal context rather than command presence alone, because file and directory listing is common legitimate behavior.
- Baseline expected terminal usage for administrators, developers, support staff, and automated scripts to reduce false positives.
- Correlate discovery events with surrounding process activity and user context to support triage.
- Review blind spots around unmanaged macOS systems, privacy-restricted endpoint logging, incomplete process lineage, and script execution that is not centrally logged.
Mitigation priorities
- Ensure macOS endpoints that matter to business operations are covered by endpoint logging and monitored by the SOC.
- Define expected administrative and developer command-line workflows so detection engineering has a defensible baseline.
- Use least-privilege and account hygiene practices to limit what a compromised user or script context can enumerate.
- Prepare incident response playbooks that treat unusual discovery as a scoping signal rather than standalone proof of compromise.
- Maintain compliance-ready evidence showing which macOS assets produce process and command-line telemetry.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for macOS file or directory discovery command execution. It includes a description but no official detection logic, tactics, relationships, mitigations, or associated techniques in the provided context. The practical value is therefore in validating telemetry and tuning strategy, not in asserting specific adversary behavior.
This take is constrained to the supplied STIX fields and external reference. No active exploitation, attribution, impact, relationship-driven context, or guaranteed detection coverage is implied. Local environment baselines are required to decide what is abnormal.
Analytic 1042
Execution of file or directory discovery commands (e.g., 'ls', 'find') from terminal or script-based tooling, especially outside normal user workflows.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | beee5a17c949… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1042Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.