Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1082: Analytic 1082

Identifies use of sh/bash/zsh in suspicious context, such as user scripts launched from non-standard apps (e.g., Preview.app), embedded in LaunchDaemons, or executed outside Terminal.app. Looks for misuse in Automator, LaunchAgents, or NSAppleScript-executed shell.

EnterpriseAN1082AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is relevant because suspicious use of macOS shells such as sh, bash, or zsh often decides whether an unusual user action is benign automation or a potential intrusion path. For leaders, the practical issue is not the shell itself, but whether the organization can see and explain shell execution when it originates from unexpected macOS applications, LaunchDaemons, LaunchAgents, Automator, or NSAppleScript-related activity.

Executive priority

Prioritize this as a macOS endpoint visibility and response-readiness question. Security leaders should ask whether managed detection, incident response, and audit evidence can distinguish normal administrative scripting from shell execution launched outside expected tools such as Terminal.app. This matters for business continuity because weak macOS process visibility can delay triage of suspicious automation, persistence-like execution paths, or misuse of built-in scripting capabilities.

Technical view

For SOC and detection engineering teams, validate telemetry for macOS process execution where sh, bash, or zsh is launched from suspicious or non-standard parent contexts. The supplied ATT&CK description specifically calls out user scripts launched from non-standard apps such as Preview.app, shell use embedded in LaunchDaemons, execution outside Terminal.app, and misuse in Automator, LaunchAgents, or NSAppleScript-executed shell. Because no official detection logic is supplied, teams should convert this into locally tested behavioral analytics using parent process, command-line, executable path, user context, and launch mechanism evidence.

Likely telemetry

  • macOS process creation events for sh, bash, and zsh
  • Parent-child process relationships showing shell execution outside Terminal.app
  • Command-line arguments and script paths where available
  • LaunchDaemon and LaunchAgent configuration or execution records
  • Automator-related execution evidence

Detection direction

  • Baseline legitimate macOS shell usage by administrators, developers, management tools, and automation workflows before alerting broadly.
  • Tune for suspicious parent applications, shell execution outside Terminal.app, and shell activity associated with LaunchDaemons, LaunchAgents, Automator, or NSAppleScript as described by the analytic.
  • Preserve parent process, command line, user, path, and timestamp fields; without them, this analytic will be difficult to validate or investigate.
  • Expect false positives from enterprise management, developer tooling, helpdesk scripts, and approved automation; require allowlisting to be evidence-based and reviewed.
  • Use this analytic as a validation target for macOS EDR/SIEM coverage rather than as a complete detection, because ATT&CK does not provide official detection logic for this object.

Mitigation priorities

  • Inventory legitimate macOS automation and shell-based administrative workflows so detection teams can separate approved activity from suspicious context.
  • Harden and monitor LaunchDaemons, LaunchAgents, Automator usage, and script execution paths according to local policy.
  • Ensure macOS endpoint tooling collects process lineage and command-line evidence needed for incident response.
  • Create escalation procedures for shell execution from unusual GUI applications or scripting contexts, especially when the user or parent process is unexpected.
  • Review exceptions periodically so approved automation does not become a blind spot.
Analyst notes and limits

This object is a detection analytic for enterprise ATT&CK on macOS. It is not a technique object and has no supplied tactic mapping or relationship context. The strongest use is as a defensive validation prompt: can the organization observe suspicious macOS shell execution context and explain it quickly?

The official object supplies a description but no formal detection logic, no relationships, no tactics, and no evidence of active exploitation or attribution. Local baselines, endpoint telemetry quality, and approved automation inventories are required before production alerting decisions can be made.

Official MITRE ATT&CK definition

Analytic 1082

Identifies use of sh/bash/zsh in suspicious context, such as user scripts launched from non-standard apps (e.g., Preview.app), embedded in LaunchDaemons, or executed outside Terminal.app. Looks for misuse in Automator, LaunchAgents, or NSAppleScript-executed shell.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
662237bca047a4bd...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 662237bca047…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1082
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use