AN1086: Analytic 1086
A process or terminal command outside of standard shell utilities reads the user's .bash_history file. On macOS, unified logs or telemetry tools like EndpointSecurity (ESF) may observe file read APIs or terminal process lineage that shows non-user-initiated access.
Analyst context for executives and security teams
This analytic is about spotting unusual access to a macOS user’s .bash_history file by something other than normal shell activity. For leaders, the practical concern is that shell history can expose commands, paths, usernames, operational habits, and sometimes secrets accidentally typed at the command line. Even without an ATT&CK tactic supplied, this behavior is worth validating because it can indicate unauthorized local reconnaissance or collection of user activity on macOS endpoints.
Executive priority
Prioritize this as a macOS endpoint visibility and data-exposure control question: do security teams know when non-standard processes read sensitive user history files, and can they explain whether that access is expected? It supports incident response readiness, SOC detection quality, and compliance evidence around endpoint monitoring and protection of potentially sensitive local data. Because no relationships or active threat context are supplied, it should be treated as a focused detection validation item rather than a standalone high-severity risk.
Technical view
Validate whether macOS telemetry can show file-read activity against user .bash_history files and whether process lineage distinguishes normal terminal or shell utility access from non-user-initiated access. The official description points to unified logs or EndpointSecurity Framework-style telemetry as relevant evidence sources. Detection engineering should focus on process identity, parent process, user context, command or application lineage, file path accessed, and whether the accessing process is a standard shell utility or an unexpected binary.
Likely telemetry
- macOS file access or file read events for user .bash_history paths
- EndpointSecurity Framework or comparable endpoint telemetry showing file read APIs
- macOS unified log data where available and useful
- Process creation and process lineage for terminal, shell, and non-shell processes
- User context associated with the accessing process
Detection direction
- Confirm telemetry records read access to .bash_history, not only file modification or process execution.
- Tune logic to separate expected terminal or shell-driven access from access by non-standard processes or non-user-initiated process chains.
- Review false positives from backup tools, endpoint management agents, developer tools, search indexers, and security products that may legitimately read user files.
- Use process lineage and user session context to reduce noise, especially distinguishing interactive terminal activity from background or automated access.
- Because no official detection logic is provided, test coverage in a lab or pilot group before relying on this analytic operationally.
Mitigation priorities
- Ensure macOS endpoint monitoring is enabled and retained for file access and process lineage events relevant to user history files.
- Reduce sensitive data exposure in shell history through user guidance and secure handling practices, especially avoiding secrets in commands.
- Review and limit unnecessary local access by applications or agents to user home-directory history files.
- Use least privilege and endpoint hardening to constrain untrusted or unnecessary processes from reading user data where feasible.
- Document expected benign readers of .bash_history so SOC triage can distinguish authorized tooling from suspicious access.
Analyst notes and limits
This object is a detection analytic for macOS only. It has no supplied tactic, technique relationship, aliases, labels, or official detection pseudocode. The key decision value is whether the organization can observe and explain non-standard reads of user shell history files on macOS endpoints.
The supplied ATT&CK fields do not provide a tactic, related technique, adversary procedure, severity, prevalence, or detection logic. Local baselining is required to determine what processes normally read .bash_history and which events should alert.
Analytic 1086
A process or terminal command outside of standard shell utilities reads the user's .bash_history file. On macOS, unified logs or telemetry tools like EndpointSecurity (ESF) may observe file read APIs or terminal process lineage that shows non-user-initiated access.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4a535f2c91fb… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1086Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.