AN1300: Analytic 1300
Detects modification of shared network folders via .app bundles or scripting files with hidden extensions (e.g., double extensions like docx.app).
Analyst context for executives and security teams
AN1300 is a macOS-focused detection analytic for spotting changes to shared network folders involving .app bundles or scripting files that use hidden or misleading extensions, such as double-extension names like docx.app. The business significance is that shared folders often bridge users, teams, and workflows; suspicious application bundles placed or modified there can become a practical path for user execution, lateral exposure, or incident spread if defenders are not watching file changes in shared locations.
Executive priority
Treat this as a validation point for macOS file-sharing risk and SOC visibility. Leaders should ask whether shared network folders are inventoried, whether macOS endpoints and file shares generate usable file-modification evidence, and whether the organization can distinguish legitimate shared applications or scripts from misleading file names. This supports operational resilience, incident response readiness, and audit evidence around endpoint and shared-storage monitoring.
Technical view
For SOC and detection teams, validate coverage for macOS file events in shared network folders where files are created, renamed, modified, or moved with .app bundle structure or scripting-file characteristics combined with hidden or double extensions. Because the ATT&CK object does not provide tactics, related techniques, or detailed detection logic, implementation should be tested against local macOS sharing patterns and known administrative software distribution workflows before alerting broadly.
Likely telemetry
- macOS endpoint file creation, modification, rename, and move events
- Shared network folder audit logs or file server access logs
- File path, filename, and extension metadata, including double-extension patterns
- Process context for the actor or process modifying shared-folder contents, where available
- User and host identity associated with the file operation
Detection direction
- Confirm that telemetry covers the relevant macOS shared network folders, not only local endpoint paths.
- Look for .app bundles or scripting files using misleading, hidden, or double extensions such as document-like names ending in .app.
- Tune for expected business workflows, such as legitimate macOS application distribution, software packaging, or administrator-managed shared folders.
- Correlate file-modification events with user, host, and process context to reduce noise and support triage.
- Identify blind spots where file servers log access but endpoints do not report process context, or where endpoint agents do not monitor mounted shared folders consistently.
Mitigation priorities
- Inventory macOS-accessible shared network folders and identify which ones allow users to write or modify files.
- Restrict write permissions on shared folders to business-required users and administrative processes.
- Establish review and approval practices for placing .app bundles or scripts in shared locations.
- Ensure endpoint and shared-storage logging are retained long enough to support investigation.
- Document legitimate software distribution paths so detections can be tuned without suppressing suspicious shared-folder modifications.
Analyst notes and limits
This object is a detection analytic, not a full technique description. The strongest use is as a coverage test: can the environment see suspicious macOS .app or script-like content being modified in shared folders, and can analysts quickly determine whether the activity is expected?
The supplied ATT&CK fields provide no official detection text, tactics, relationships, aliases, labels, or related techniques. Conclusions are therefore limited to the stated macOS platform and the official description of modifications to shared network folders via .app bundles or scripting files with hidden extensions. Local environment context is required for severity, tuning, and response decisions.
Analytic 1300
Detects modification of shared network folders via .app bundles or scripting files with hidden extensions (e.g., double extensions like docx.app).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 996a75f19393… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1300Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.