Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1316: Analytic 1316

Cause→effect chain: (1) unified logs show application open/click or crash for Safari/Chrome/Office/Preview/archiver, (2) file write/extraction into ~/Downloads, /private/var/folders/* or ~/Library, (3) parent app spawns osascript/bash/zsh/curl/python or opens a quarantined app with Gatekeeper prompts, (4) network egress from child.

EnterpriseAN1316AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about recognizing a risky macOS chain where a user-facing app such as a browser, Office, Preview, or an archiver handles content, writes or extracts files into common user or temporary locations, then launches scripting or command-line tools and makes outbound network connections. For leaders, the value is not the individual event; it is the sequence. It helps determine whether macOS endpoint telemetry can connect user activity, file creation, process execution, Gatekeeper/quarantine context, and network egress into one investigation-ready story.

Executive priority

Prioritize this as a validation item for macOS detection and response readiness. The business question is whether the organization can quickly distinguish normal document/download handling from suspicious child-process and network behavior following content interaction. This affects incident triage speed, evidence quality for audits, and confidence in controls around user endpoints, downloaded content, and script execution. It is most relevant where macOS systems are used for business-critical work or privileged access.

Technical view

Validate that SOC and IR workflows can correlate the stated cause-to-effect chain on macOS: unified log evidence of application open, click, or crash for Safari, Chrome, Office, Preview, or archiver applications; file writes or extraction into ~/Downloads, /private/var/folders/*, or ~/Library; parent application spawning osascript, bash, zsh, curl, or python, or opening a quarantined app with Gatekeeper prompts; and subsequent network egress from the child process. Because no official detection logic or ATT&CK relationships are supplied, teams should treat this as a behavioral correlation pattern rather than a complete rule.

Likely telemetry

  • macOS unified logs for application open, click, and crash activity
  • Endpoint file creation and extraction events for ~/Downloads, /private/var/folders/*, and ~/Library
  • Process creation telemetry with parent-child relationships
  • Command-line telemetry for osascript, bash, zsh, curl, and python
  • Gatekeeper and quarantine prompt or attribute evidence for downloaded applications

Detection direction

  • Test whether telemetry can preserve event order across app interaction, file write, child process launch, and network egress.
  • Tune around parent-child process relationships where browsers, Office, Preview, or archivers launch scripting shells, curl, python, or quarantined applications.
  • Use file location context to separate routine downloads and extraction from suspicious execution chains involving temporary, Downloads, or Library paths.
  • Review false positives from legitimate installers, enterprise management tools, developer workflows, browser helpers, and approved automation.
  • Confirm that network events are attributable to the child process, not only to the host, to avoid weak correlation.

Mitigation priorities

  • Ensure macOS endpoint logging and EDR collection cover process lineage, command lines, file writes, quarantine/Gatekeeper context, and per-process network activity.
  • Reduce unnecessary script and interpreter execution from user-facing applications through policy, hardening, and application control where operationally feasible.
  • Maintain Gatekeeper and quarantine protections and validate that prompts and quarantine metadata are available to investigators.
  • Define SOC playbooks for investigating browser, Office, Preview, or archiver parent processes that spawn shells, osascript, curl, or python followed by egress.
  • Use allowlists or baselines for approved installers, management agents, and developer tools before escalating this pattern broadly.
Analyst notes and limits

The supplied object is a detection analytic for macOS with a concise behavioral chain and no explicit tactic mapping or relationship context. The strongest use is as a coverage assessment and detection engineering scenario: can defenders correlate multiple weak signals into one higher-confidence sequence? Local baselines are essential because normal software installation, archive extraction, and development activity can resemble parts of this pattern.

Official detection logic is not provided, and no related techniques, groups, software, mitigations, or data components were supplied. This take does not assert active exploitation, attribution, impact, or guaranteed detection. Applicability is limited to the supplied platform, macOS, and must be validated against local telemetry and business workflows.

Official MITRE ATT&CK definition

Analytic 1316

Cause→effect chain: (1) unified logs show application open/click or crash for Safari/Chrome/Office/Preview/archiver, (2) file write/extraction into ~/Downloads, /private/var/folders/* or ~/Library, (3) parent app spawns osascript/bash/zsh/curl/python or opens a quarantined app with Gatekeeper prompts, (4) network egress from child.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9e320a43752ab6c0...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9e320a43752a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1316
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use