AN1050: Analytic 1050
Execution of AppleScript, bash, or launchd jobs that invoke delay functions (e.g., sleep, delay in AppleScript) with limited parent interaction and staged follow-on commands.
Analyst context for executives and security teams
This analytic is about spotting macOS script or job execution that intentionally waits before continuing, such as AppleScript, bash, or launchd activity using delay or sleep behavior followed by staged commands. For leaders, the value is not the delay itself; it is that delayed execution can reduce SOC visibility, evade simple time-window detections, and complicate incident timelines on macOS endpoints.
Executive priority
Prioritize this as a macOS endpoint visibility and incident-readiness question. Security leaders should ask whether the organization can reconstruct script execution, launchd job behavior, parent-child process context, and follow-on commands over enough time to catch delayed activity. This is especially relevant where macOS systems support privileged users, developers, executives, or regulated workflows and where audit evidence depends on endpoint logging completeness.
Technical view
For SOC and detection teams, validate whether macOS telemetry can show AppleScript, shell, and launchd execution patterns where delay functions such as sleep or AppleScript delay are followed by later command execution. Because no ATT&CK tactic or official detection logic is supplied, treat this as a behavioral analytic requiring local baselining: identify normal administrative scripts, software management jobs, and scheduled workflows before alerting on limited parent interaction plus staged follow-on commands.
Likely telemetry
- macOS process creation events with command-line arguments
- Parent-child process relationships for AppleScript, bash, and launchd-related execution
- launchd job creation, loading, or execution records where available
- Script execution logs or endpoint detection telemetry showing sleep or delay usage
- Time-correlated follow-on command execution after a delay
Detection direction
- Confirm that endpoint telemetry preserves command lines, process ancestry, and timestamps long enough to connect delayed execution with later actions.
- Baseline legitimate macOS administration, software update, device management, and developer automation that may use sleep or delay functions.
- Tune for combinations rather than single indicators: delay function usage, limited parent interaction, and staged follow-on commands are more meaningful together than sleep usage alone.
- Review blind spots around AppleScript visibility, launchd job telemetry, short-lived shell processes, and EDR retention windows.
- Use analyst review for false positives because delay functions are common in benign automation.
Mitigation priorities
- Improve macOS endpoint logging and retention before relying on this analytic for operational coverage.
- Standardize approved administrative scripting and launchd usage so unusual parentage or staged behavior is easier to identify.
- Apply least privilege and controlled administrative access on macOS systems to reduce the risk from unauthorized script or job execution.
- Ensure incident response playbooks include macOS process-tree reconstruction and timeline analysis for delayed execution patterns.
- Where applicable, use endpoint hardening and application/script control policies, but validate them against business-approved automation to avoid disruption.
Analyst notes and limits
This is a detection analytic object, not a full ATT&CK technique entry. The supplied object is limited to macOS and describes AppleScript, bash, or launchd jobs invoking delay functions with limited parent interaction and staged follow-on commands. No relationships, tactics, mitigations, or official detection query are supplied, so implementation should be driven by local telemetry quality and environment-specific baselines.
No official detection logic, tactic mapping, relationship context, attribution, or exploitation evidence was supplied. This take does not assert that the behavior is malicious by itself or that any organization has coverage. Local macOS logging, EDR capability, command-line capture, and retention determine whether the analytic is practical.
Analytic 1050
Execution of AppleScript, bash, or launchd jobs that invoke delay functions (e.g., sleep, delay in AppleScript) with limited parent interaction and staged follow-on commands.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 78c348f499d7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1050Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.