AN1460: Analytic 1460
Detects use of macOS-native archiving or encryption tools (zip, ditto, hdiutil) for staging collected data. Identifies unexpected invocation of archive utilities by Office apps, browsers, or background daemons. Correlates file creation of .zip/.dmg containers with process lineage anomalies.
Analyst context for executives and security teams
This analytic matters because ordinary macOS utilities such as zip, ditto, and hdiutil can be used to package data into archive or disk image files before it is moved elsewhere. For leaders, the key issue is not the tools themselves, which are legitimate, but whether the organization can distinguish normal business use from unusual staging behavior involving Office apps, browsers, or background daemons.
Executive priority
Prioritize validation where macOS endpoints handle sensitive business data. This behavior can affect incident response speed and audit confidence because defenders need evidence showing who created archive or disk image containers, from which process lineage, and whether the activity was expected. Security leaders should ask whether macOS process and file telemetry is collected consistently enough to support investigations, not just whether an alert exists.
Technical view
For SOC and detection engineering teams, validate monitoring for macOS-native archive and encryption utility execution, specifically zip, ditto, and hdiutil, and correlate those executions with creation of .zip and .dmg files. Give higher scrutiny to unexpected parent-child process relationships involving Office applications, browsers, or background daemons. Because no ATT&CK tactic or relationship context is supplied, this should be treated as a behavioral detection analytic for suspicious data staging rather than a complete intrusion narrative.
Likely telemetry
- macOS process execution events for zip, ditto, and hdiutil
- Parent-child process lineage for Office applications, browsers, background daemons, and archive utilities
- File creation telemetry for .zip and .dmg containers
- Command-line arguments where available
- Endpoint timestamps and user/session context for correlating process and file activity
Detection direction
- Confirm that macOS endpoint telemetry captures process lineage and command-line context for native archive utilities.
- Tune for unexpected invocation of zip, ditto, or hdiutil by Office apps, browsers, or background daemons rather than alerting on all archive creation.
- Correlate process execution with nearby .zip or .dmg file creation to reduce noise.
- Account for legitimate administrative packaging, software deployment, backup, and user compression workflows as likely false-positive sources.
- Review coverage gaps where macOS file creation events or parent process details are unavailable.
Mitigation priorities
- Ensure macOS endpoint logging and EDR policies retain process lineage, command-line, user, and file creation evidence needed for investigation.
- Define approved administrative and business use cases for native archiving tools to support alert tuning.
- Restrict or monitor unusual automation paths where background daemons or user-facing apps invoke archive utilities unexpectedly.
- Use incident response playbooks to triage archive or disk image creation alongside user context, source application, file location, and timing.
- Maintain evidence retention sufficient for compliance and post-incident reconstruction of data staging activity.
Analyst notes and limits
The supplied object is a detection analytic for macOS and provides a clear behavioral description, but no official detection logic, tactics, or relationships. The most useful operational approach is to validate telemetry quality and tune around process lineage anomalies plus .zip/.dmg creation rather than treating native tool use as inherently malicious.
This take is limited to the supplied ATT&CK fields. It does not establish active exploitation, attribution, impact, or guaranteed detection coverage. Local baselines are required to determine which Office, browser, daemon, archive, and disk image creation patterns are abnormal in a specific environment.
Analytic 1460
Detects use of macOS-native archiving or encryption tools (zip, ditto, hdiutil) for staging collected data. Identifies unexpected invocation of archive utilities by Office apps, browsers, or background daemons. Correlates file creation of .zip/.dmg containers with process lineage anomalies.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5dd8b1fd8217… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1460Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.