AN1513: Analytic 1513
Office apps or scripts writing files followed by xattr manipulation (to evade quarantine) and subsequent HTTPS uploads. Defender perspective: anomalous file modification + outbound TLS traffic originating from non-networking apps (Word, Excel, Preview).
Analyst context for executives and security teams
This analytic matters because it describes a macOS pattern where productivity or document-viewing applications, or scripts, modify files, manipulate extended attributes to evade quarantine, and then upload over HTTPS. For leaders, the value is not just detecting one event; it is validating whether the organization can see suspicious file handling and outbound encrypted traffic from applications that normally should not be acting like upload clients.
Executive priority
Prioritize this where macOS endpoints are used for business workflows involving Office apps, Preview, or scripts. The key business question is whether SOC and IR teams can prove visibility into file modification, xattr changes, and outbound TLS connections from non-networking apps. This supports incident decision-making, compliance evidence for endpoint monitoring, and resilience against data movement or quarantine-evasion scenarios without assuming any specific actor or active exploitation.
Technical view
For macOS, validate correlation across three behaviors from the ATT&CK analytic: Office apps or scripts writing files, subsequent xattr manipulation associated with quarantine evasion, and HTTPS uploads from processes such as Word, Excel, or Preview. Because no ATT&CK detection logic is provided, teams should build or test detections around process identity, process lineage, file modification timing, xattr activity, and outbound TLS destinations. Treat this as a behavioral analytic requiring local baselining of legitimate Office, Preview, and scripting activity.
Likely telemetry
- macOS endpoint process execution and process lineage
- File creation or modification events by Office apps, Preview, or scripts
- Extended attribute/xattr modification events, especially quarantine-related attributes
- Outbound network connection logs from endpoint processes
- TLS/HTTPS connection metadata, including process name, destination, timing, and volume where available
Detection direction
- Correlate file writes followed by xattr manipulation and then outbound HTTPS activity within a defensible time window.
- Focus on non-networking or document-centric apps, including Word, Excel, and Preview, initiating outbound TLS after file and xattr activity.
- Baseline legitimate application update, document sync, and user-driven upload workflows to reduce false positives.
- Confirm whether endpoint tooling records xattr changes; lack of this telemetry is a major blind spot for this analytic.
- Review detections for scripts separately from GUI applications, because script-driven file and xattr activity may have different baselines.
Mitigation priorities
- Ensure macOS endpoint monitoring can capture process, file modification, xattr, and network connection evidence needed for this behavior.
- Review policy and control expectations for Office apps, Preview, and scripts initiating outbound HTTPS uploads.
- Harden and monitor workflows where scripts manipulate downloaded or generated files on macOS systems.
- Prepare IR triage steps that preserve file metadata, process lineage, and network destination evidence when this pattern is observed.
- Use local baselines and business-owner input before blocking activity, since legitimate document workflows may include file writes and HTTPS uploads.
Analyst notes and limits
This is a detection analytic object, not a technique or campaign description. The supplied ATT&CK fields identify macOS as the platform and describe a behavioral chain involving Office apps or scripts, xattr manipulation, quarantine evasion, and HTTPS uploads from non-networking apps such as Word, Excel, and Preview. No tactics, relationships, aliases, or official detection logic were supplied.
This take is limited to the provided ATT&CK analytic fields and external reference. It does not establish actor attribution, active exploitation, prevalence, impact, or guaranteed detection coverage. Local telemetry availability, application baselines, and business workflow context are required to determine severity and response.
Analytic 1513
Office apps or scripts writing files followed by xattr manipulation (to evade quarantine) and subsequent HTTPS uploads. Defender perspective: anomalous file modification + outbound TLS traffic originating from non-networking apps (Word, Excel, Preview).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5de7588b71db… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1513Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.