AN1383: Analytic 1383
Detects non-standard compilation activity via Xcode CLI tools or bundled GCC/MONO packages writing new executable files and executing them outside dev environments (e.g., user Downloads folder).
Analyst context for executives and security teams
This analytic matters because unexpected software compilation on macOS can indicate a host is being used to build or run newly created executables outside normal development workflows. For leaders, the practical issue is not “compilation” by itself; it is whether the organization can distinguish legitimate developer activity from unusual executable creation in places like a user Downloads folder.
Executive priority
Prioritize this where macOS endpoints are present, especially if developers, administrators, or high-value users have Xcode CLI tools or bundled GCC/MONO packages installed. The business decision is whether endpoint logging and policy controls can prove that compilation activity is expected, governed, and reviewable. This can support SOC readiness, incident triage, audit evidence around endpoint control, and risk reduction for unmanaged executable creation.
Technical view
Validate whether macOS telemetry can identify command-line use of Xcode CLI tools or bundled GCC/MONO packages, creation of new executable files, and subsequent execution from non-development locations such as user Downloads. Because ATT&CK provides no official detection logic and no tactic mapping for this analytic, teams should treat it as a detection design requirement rather than a ready-made rule. Baseline known developer systems and approved build paths before alerting broadly.
Likely telemetry
- macOS process execution events, including command line and parent-child process context
- File creation or modification events for newly written executable files
- Execution events for files launched from user-writable or non-development directories such as Downloads
- Software inventory or endpoint state showing presence of Xcode CLI tools, GCC, or MONO packages
- User and host context identifying approved developer workstations versus general-purpose endpoints
Detection direction
- Confirm that endpoint telemetry captures both the compiler invocation and the later execution of the resulting file; either event alone may be noisy or incomplete.
- Tune by host role, user role, expected development directories, and approved build tools to reduce false positives from legitimate developers.
- Give higher review priority to compilation and execution from user-writable locations outside known development paths.
- Watch for blind spots on unmanaged macOS systems, incomplete command-line capture, missing file execution telemetry, or lack of software inventory for compiler packages.
- Because no relationship context is supplied, do not infer a specific ATT&CK tactic, threat actor behavior, or campaign from this analytic alone.
Mitigation priorities
- Inventory macOS endpoints with Xcode CLI tools, GCC, or MONO packages and confirm they are business-justified.
- Define approved development systems and build locations so detection engineering can distinguish expected activity from unusual compilation.
- Restrict or remove compiler tooling from non-development endpoints where operationally feasible.
- Ensure endpoint controls and logging retain process, file creation, and execution evidence needed for incident response.
- Document approved exceptions to support compliance evidence and reduce alert fatigue.
Analyst notes and limits
The supplied object is a detection analytic for macOS only. Its value is strongest as a validation prompt: can the SOC see non-standard local compilation and execution, and can it separate legitimate developer behavior from unusual endpoint activity? Local baselining is essential because compilation can be normal in engineering environments.
ATT&CK provides no official detection logic, no tactics, and no relationship context for this object. This take therefore avoids claims about adversary attribution, active exploitation, impact, or guaranteed detection coverage. Environment-specific telemetry and approved development workflows are required to operationalize it.
Analytic 1383
Detects non-standard compilation activity via Xcode CLI tools or bundled GCC/MONO packages writing new executable files and executing them outside dev environments (e.g., user Downloads folder).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | fad4715f3afa… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1383Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.