AN1396: Analytic 1396
Detection of obfuscated commands via shell, osascript, or AppleScript interpreters using unusual tokens, encoding, variable substitution, or runtime string reconstruction.
Analyst context for executives and security teams
Analytic AN1396 is a macOS-focused detection analytic for spotting obfuscated command execution through shells, osascript, or AppleScript interpreters. Its practical value is that obfuscation often weakens basic command-line review and can delay triage, so leaders should treat this as a validation point for whether macOS endpoint telemetry is detailed enough to support fast incident decisions.
Executive priority
Prioritize this analytic where macOS systems are business-critical, used by privileged staff, or included in regulated environments requiring defensible monitoring evidence. The key business question is not simply whether a rule exists, but whether security teams can reliably collect and review interpreter activity, unusual tokens, encoding, variable substitution, and runtime string reconstruction without excessive noise.
Technical view
SOC and detection teams should validate macOS process and command-line visibility for shell execution, osascript, and AppleScript interpreter use. Because the official object provides no detection logic, teams should treat AN1396 as a detection objective: identify suspicious obfuscation patterns in interpreter command lines or script content, tune against known administrative and developer workflows, and ensure triage playbooks can reconstruct what the command attempted to execute.
Likely telemetry
- macOS process creation events
- Command-line arguments for shell, osascript, and AppleScript interpreter activity
- Parent-child process relationships involving interpreters
- Script execution metadata where available
- Endpoint detection and response alerts or raw telemetry for unusual tokens, encoding, variable substitution, or reconstructed strings
Detection direction
- Confirm that macOS command-line logging is enabled and retained for relevant endpoints.
- Test whether telemetry captures full interpreter arguments rather than truncated or normalized strings.
- Tune detections for obfuscation indicators such as unusual tokens, encoded content, variable substitution, and runtime string reconstruction, while accounting for legitimate administration, automation, and developer activity.
- Review false positives from enterprise scripts, management tools, and software installers that may use complex shell syntax.
- Use this analytic as a coverage validation item because no official detection logic or related ATT&CK technique relationships were supplied.
Mitigation priorities
- Establish baseline visibility for macOS interpreter execution before relying on detection outcomes.
- Restrict or govern unnecessary script and interpreter use where business operations allow.
- Harden endpoint monitoring and retention so incident responders can review original command context.
- Document approved administrative automation patterns to support detection tuning and audit evidence.
- Pair detection validation with incident response procedures for collecting endpoint artifacts and reconstructing obfuscated commands.
Analyst notes and limits
This take is based only on the supplied ATT&CK analytic fields. The object identifies macOS and describes obfuscated commands through shell, osascript, or AppleScript interpreters, but it does not provide specific tactics, relationships, or official detection logic.
No relationship context, ATT&CK tactics, procedures, mitigations, or detailed detection pseudocode were supplied. Local telemetry quality, endpoint configuration, and legitimate macOS automation practices will determine whether this analytic is actionable.
Analytic 1396
Detection of obfuscated commands via shell, osascript, or AppleScript interpreters using unusual tokens, encoding, variable substitution, or runtime string reconstruction.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a9f049a66213… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1396Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.