AN1430: Analytic 1430
Detects launch of command-line interpreters via Terminal, Automator, or hidden `osascript`, especially when parent process lineage deviates from user-initiated applications.
Analyst context for executives and security teams
AN1430 is a macOS detection analytic focused on command-line interpreters being launched through Terminal, Automator, or hidden `osascript`, especially when the parent process chain does not look like normal user activity. For leaders, the value is not the specific tool name; it is whether the organization can recognize suspicious macOS scripting and shell activity early enough to support containment, user validation, and incident triage.
Executive priority
This analytic matters where macOS endpoints are part of executive, developer, creative, or privileged user workflows. Security leaders should ask whether endpoint monitoring captures macOS process lineage well enough to distinguish expected user-driven terminal activity from unusual automation or hidden script-driven execution. It also supports audit and readiness discussions around endpoint visibility, SOC triage quality, and incident response evidence preservation for macOS systems.
Technical view
SOC and detection teams should validate visibility into macOS process creation, parent-child process relationships, command-line arguments, and execution context for Terminal, Automator, and `osascript`. The key analytic concept is lineage deviation: command-line interpreters launched from unexpected parents or hidden script contexts should be reviewed differently from normal interactive Terminal use. Because ATT&CK does not provide a full detection implementation for this object, teams should tune locally against known administrative, developer, and automation workflows.
Likely telemetry
- macOS endpoint process creation events
- Parent and child process lineage
- Command-line arguments for launched interpreters
- Execution context for Terminal, Automator, and `osascript`
- User session or interactive versus non-interactive launch context
Detection direction
- Baseline normal macOS Terminal, Automator, and `osascript` usage by user role and device type.
- Prioritize alerts where command-line interpreters are launched from unexpected parent processes or hidden script contexts.
- Account for legitimate developer, IT administration, accessibility, and automation workflows to reduce false positives.
- Validate that telemetry preserves full parent lineage; shallow process logging may miss the behavior this analytic depends on.
- Correlate suspicious launches with user activity, recent application execution, and endpoint changes before escalating.
Mitigation priorities
- Ensure macOS endpoint monitoring is configured to collect process creation, command line, and parent lineage data.
- Define acceptable use and administrative patterns for Terminal, Automator, and script execution on managed macOS assets.
- Apply least privilege and endpoint hardening appropriate to user role, especially for privileged or high-value users.
- Prepare IR playbooks for validating suspicious macOS script or shell execution without relying on a single alert.
- Review detection coverage as part of macOS fleet compliance and security readiness evidence.
Analyst notes and limits
This take is based on ATT&CK analytic AN1430, a detection analytic for macOS command-line interpreter launches via Terminal, Automator, or hidden `osascript` with unusual parent lineage. No tactics, relationships, aliases, labels, or detailed official detection logic were supplied, so local tuning and validation are essential.
The supplied ATT&CK object provides a description but no official detection procedure, no relationship context, and no mapped tactics. This summary does not assert active exploitation, attribution, impact, or guaranteed detection coverage. Applicability depends on the organization’s macOS telemetry depth and normal user workflows.
Analytic 1430
Detects launch of command-line interpreters via Terminal, Automator, or hidden `osascript`, especially when parent process lineage deviates from user-initiated applications.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5d25ed9c488c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1430Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.