AN1072: Analytic 1072
Adversary use of bash/zsh or AppleScript to locate files and exfil targets like user keychains or documents.
Analyst context for executives and security teams
This analytic points to a macOS-focused behavior where an adversary uses shell scripting through bash/zsh or AppleScript to find files that may be valuable for theft, such as user keychains or documents. For leaders, the significance is not the script interpreter itself, but whether the organization can see scripted discovery of sensitive local data before it becomes confirmed exfiltration risk.
Executive priority
Prioritize this as a macOS endpoint visibility and data-risk validation item. Security leaders should ask whether managed detection, incident response, and compliance evidence can show when local scripts enumerate sensitive user files, especially keychains and document locations. Because ATT&CK provides no detection logic or related techniques here, this should be treated as a control-coverage question rather than proof of a specific campaign or guaranteed detection outcome.
Technical view
Validate that macOS telemetry captures command execution and script activity involving bash, zsh, and AppleScript, especially when used to locate user keychains or document repositories. SOC and IR teams should focus on whether endpoint logging can connect script interpreters, command arguments or script content where available, file-system enumeration, and access to sensitive user paths. Since no tactic or detection text is supplied, detection engineering should avoid overfitting to a single command pattern and instead test coverage around interpreter-driven file discovery behavior on macOS.
Likely telemetry
- macOS process execution events for bash, zsh, and AppleScript-related execution
- Command-line arguments or script content where collected and legally/operationally appropriate
- File-system access or enumeration events involving user document locations
- Access attempts involving user keychain-related files or paths
- Endpoint detection and response alerts or audit logs correlated to scripted local discovery
Detection direction
- Confirm whether macOS endpoints actually log interpreter execution with enough detail to distinguish routine administration from suspicious discovery of user data.
- Tune for context: bash, zsh, and AppleScript are legitimate on macOS, so detections should consider unusual parent processes, unexpected users, sensitive file targets, and broad enumeration patterns.
- Validate coverage against keychain and document discovery behaviors without assuming that one command, file path, or script language is exhaustive.
- Review blind spots such as endpoints without EDR, limited command-line capture, privacy-restricted file telemetry, or AppleScript activity not normalized into SOC data.
- Because no ATT&CK relationships or official detection logic are supplied, use local baselines and incident history to decide thresholds and alert severity.
Mitigation priorities
- Ensure managed macOS endpoints have consistent process, script, and relevant file-access telemetry enabled.
- Restrict unnecessary script execution and administrative privileges where business operations allow.
- Harden access to sensitive local data such as keychains and user document stores through least privilege and endpoint configuration controls.
- Include macOS scripted file discovery in incident response playbooks so analysts know what evidence to preserve and how to assess possible data exposure.
- Use compliance and audit reviews to verify that sensitive-data access monitoring on macOS is demonstrable, not assumed.
Analyst notes and limits
This object is a detection analytic, AN1072, for enterprise ATT&CK release 19.1. The only supplied platform is macOS. The official description identifies adversary use of bash/zsh or AppleScript to locate files and exfiltration targets such as user keychains or documents. No tactics, labels, aliases, detection text, or relationship context were supplied.
The source data does not provide official detection logic, related techniques, procedures, mitigations, or adversary examples. Any production detection should be validated against the organization’s macOS fleet, logging configuration, privacy constraints, administrative practices, and normal scripting activity.
Analytic 1072
Adversary use of bash/zsh or AppleScript to locate files and exfil targets like user keychains or documents.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 06a0d189c430… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1072Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.