Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1215: Analytic 1215

Detects custom archiving by monitoring execution of Swift/Objective-C apps or scripts producing high-entropy files with non-standard headers. Correlates unified logs of abnormal NSFileHandle/NSData operations, memory use of XOR/bitwise operations, and file creation events.

EnterpriseAN1215AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting possible custom archiving behavior on macOS, especially when Swift or Objective-C apps or scripts create high-entropy files with unusual headers. For leaders, the decision value is whether the organization can recognize non-standard data packaging that may not look like ordinary zip, tar, or other known archive formats. That matters because custom archiving can reduce the usefulness of simple file-extension or known-tool monitoring and may affect incident response scoping when sensitive data is being staged in unfamiliar formats.

Executive priority

Prioritize this where macOS endpoints hold sensitive business data or are in scope for compliance evidence. Executives and security leaders should ask whether macOS telemetry includes process execution, file creation, unified logs, and enough endpoint detail to investigate suspicious custom file generation. This is less about buying a single control and more about validating whether SOC and IR teams can distinguish legitimate developer or application behavior from unusual file packaging activity during an incident.

Technical view

For SOC, detection engineering, and IR teams, validate visibility on macOS for Swift/Objective-C app or script execution, file creation events, file entropy characteristics, non-standard file headers, unified log entries involving abnormal NSFileHandle or NSData operations, and memory indicators consistent with XOR or other bitwise operations. Because no ATT&CK tactic is specified and no relationship context is supplied, treat this analytic as a behavior-focused detection component rather than a complete incident verdict. Correlation is important: high entropy alone can be benign, and custom application file handling may occur in legitimate software, development, backup, compression, or encryption workflows.

Likely telemetry

  • macOS process execution telemetry for apps and scripts
  • macOS file creation events, including path, process, user, timestamp, and file metadata
  • File content metadata such as entropy and header or magic-byte analysis
  • macOS unified logs related to NSFileHandle and NSData operations
  • Endpoint telemetry showing memory or behavioral patterns involving XOR or bitwise operations

Detection direction

  • Confirm that macOS endpoint logging can correlate process execution with file creation and file characteristics, not just alert on file names or extensions.
  • Tune for combinations of signals: Swift/Objective-C execution, unusual file headers, high entropy, abnormal file-handle or NSData activity, and suspicious file creation timing or location.
  • Establish baselines for legitimate high-entropy output, including encryption tools, compressed files, application caches, developer builds, backups, and security tooling to reduce false positives.
  • Investigate parent process, signer, user, working directory, destination path, and nearby activity before escalating, since the supplied ATT&CK object does not define a specific tactic or adversary context.
  • Identify blind spots where unified logs, file metadata inspection, or endpoint memory-behavior telemetry are unavailable or not retained long enough for incident response.

Mitigation priorities

  • Improve macOS endpoint telemetry collection and retention for process execution, file creation, unified logs, and file metadata needed to validate this behavior.
  • Maintain an approved-software and code-signing baseline so unusual Swift/Objective-C apps or scripts are easier to triage.
  • Apply least privilege and data access controls so custom archiving behavior, if suspicious, has less opportunity to package sensitive files.
  • Use data handling, encryption, and archive creation policies to define what legitimate high-entropy file creation should look like in the environment.
  • For compliance readiness, document telemetry coverage and investigation procedures for non-standard archive or file-staging behavior on macOS systems.
Analyst notes and limits

The supplied object is a detection analytic, not a full ATT&CK technique entry. It provides a macOS-focused behavioral description but no official detection text, no tactics, and no relationship context. Use it as a prompt to validate macOS endpoint visibility and correlation logic rather than as a standalone detection guarantee.

This take is limited to the official STIX fields, the MITRE external reference, and the absence of supplied relationships. It does not establish active exploitation, attribution, impact, affected customers, or coverage on platforms other than macOS. Local baselines are required to separate suspicious custom archiving from legitimate compression, encryption, development, backup, or application behavior.

Official MITRE ATT&CK definition

Analytic 1215

Detects custom archiving by monitoring execution of Swift/Objective-C apps or scripts producing high-entropy files with non-standard headers. Correlates unified logs of abnormal NSFileHandle/NSData operations, memory use of XOR/bitwise operations, and file creation events.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
55f72faa3545540c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 55f72faa3545…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1215
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use