AN1066: Analytic 1066
Monitors use of archive or encryption tools (zip, openssl) tied to user-scripted activity or binaries writing encoded payloads under /Users or /Volumes.
Analyst context for executives and security teams
This analytic is about watching macOS systems for archive or encryption utilities, such as zip or openssl, being used in ways that suggest user-scripted activity or binaries creating encoded payloads under /Users or /Volumes. For leaders, the value is not the tools themselves—these can be legitimate—but whether the organization can distinguish normal user compression/encryption from activity that may precede data movement, staging, or concealment on endpoints.
Executive priority
Prioritize this as a macOS endpoint visibility and investigation-readiness question. Security leaders should ask whether SOC teams can see command execution, script-driven activity, file writes, and payload creation in user and mounted-volume paths. Because no tactic or relationship context is supplied, this should not be treated as proof of a specific adversary behavior by itself; it is a coverage validation point for macOS monitoring, managed detection tuning, and incident response evidence collection.
Technical view
For SOC and detection engineering, validate monitoring around macOS executions of archive/encryption tools including zip and openssl, especially when tied to user-scripted processes or binaries writing encoded payloads beneath /Users or /Volumes. Since ATT&CK does not provide a detection implementation here, teams should define local baselines for legitimate compression, encryption, developer, backup, and administrative workflows, then tune for unusual parent processes, scripted execution, suspicious output paths, and unexpected encoded artifacts.
Likely telemetry
- macOS process execution events for archive and encryption utilities such as zip and openssl
- Command-line arguments where available
- Parent-child process relationships showing user-scripted activity or binary-driven execution
- File creation and modification events under /Users and /Volumes
- Evidence of encoded or archived payload files written by binaries
Detection direction
- Confirm that macOS endpoint telemetry captures process name, command line, parent process, executing user, and file-write destination.
- Baseline legitimate zip and openssl usage by developers, administrators, backup tools, installers, and user productivity workflows to reduce false positives.
- Prioritize review of scripted or binary-driven executions that write encoded or archive-like payloads under /Users or /Volumes.
- Tune detections around unusual parent processes, unexpected working directories, uncommon users, and suspicious output locations rather than alerting on tool use alone.
- Document blind spots where command-line logging, file-write telemetry, or mounted-volume visibility is incomplete.
Mitigation priorities
- Improve macOS endpoint monitoring before relying on this analytic for operational detection.
- Restrict or review unnecessary script execution and administrative tooling where business workflows allow.
- Apply least-privilege practices so routine users and processes cannot broadly write or stage files in sensitive locations without oversight.
- Use incident response playbooks to triage suspicious archive/encryption activity with user context, file artifacts, and parent-process lineage.
- Maintain audit evidence showing which macOS telemetry sources support process and file activity investigations.
Analyst notes and limits
The supplied object is a detection analytic for macOS only. It identifies a monitoring concept but does not include tactics, ATT&CK technique relationships, a formal detection query, data component mappings, or mitigation relationships. Treat it as a starting point for coverage engineering and triage design, not as a complete detection rule.
No official detection logic, tactic mapping, relationship context, or adversary association was supplied. Conclusions require local environment baselines and telemetry validation. The presence of zip or openssl alone is not suspicious without context.
Analytic 1066
Monitors use of archive or encryption tools (zip, openssl) tied to user-scripted activity or binaries writing encoded payloads under /Users or /Volumes.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 36b21e281eae… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1066Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.