AN1540: Analytic 1540
Identify use of 'shutdown', 'reboot', or 'osascript' system shutdown invocations within unified logs and track unexpected shutdown sequences initiated by GUI or script. Cross-reference with user activity or absence thereof.
Analyst context for executives and security teams
This analytic matters because unexpected macOS shutdown or reboot activity can interrupt business operations, disrupt investigations, or indicate scripted misuse of legitimate system functions. For leaders, the decision value is whether the organization can distinguish normal user-initiated restarts from suspicious or automated shutdown sequences using macOS unified logs and user activity context.
Executive priority
Prioritize this where macOS endpoints support critical users, privileged administrators, executive staff, development teams, or operational workflows where unplanned shutdowns affect continuity or incident response evidence. The key governance question is whether SOC and IR teams can prove when a shutdown occurred, who or what initiated it, and whether it aligned with expected user activity. This also supports audit and readiness discussions around endpoint logging, retention, and investigation quality.
Technical view
Validate collection and searchability of macOS unified logs for invocations or events associated with 'shutdown', 'reboot', and 'osascript' system shutdown behavior. Because the supplied ATT&CK object has no tactic mapping, relationships, or formal detection logic, teams should treat this as a focused analytic pattern rather than a complete detection. Correlate shutdown sequences with interactive user activity, scripted execution context, time of day, device role, and whether expected maintenance or user action explains the event.
Likely telemetry
- macOS unified logs containing shutdown or reboot-related events
- Process or command execution evidence for shutdown, reboot, and osascript where available
- User session and interactive activity records around the shutdown time
- Endpoint management or maintenance schedule records for expected restarts
- Device identity, hostname, user identity, and timestamp context for correlation
Detection direction
- Confirm that macOS unified logs are collected with sufficient retention and can be queried centrally during investigations.
- Tune for unexpected shutdown sequences rather than every legitimate reboot, using user activity or absence of user activity as required context.
- Separate expected software updates, endpoint management actions, and user-initiated restarts from unusual GUI or script-driven shutdown behavior.
- Review whether osascript-based shutdown activity is visible in available telemetry, since scripted GUI automation may be missed if only basic event summaries are collected.
- Use this analytic as a triage lead; absence of supplied ATT&CK tactics, relationships, and detection logic means local baselining is required before alerting at high severity.
Mitigation priorities
- Establish reliable macOS logging and retention before relying on this analytic for SOC or IR decisions.
- Define approved restart and shutdown sources, including endpoint management tools and maintenance windows.
- Restrict or monitor administrative and scripting capabilities according to role need, especially on sensitive macOS endpoints.
- Document investigation playbooks for unexpected shutdowns, including user validation, maintenance checks, and preservation of available logs.
- Use findings to improve endpoint hardening and operational change control, rather than treating every shutdown event as malicious.
Analyst notes and limits
The supplied object is a detection analytic for macOS focused on identifying shutdown, reboot, or osascript-driven shutdown invocations in unified logs and correlating them with user activity. No ATT&CK tactic, technique relationship, adversary relationship, or formal detection content was supplied, so the take is intentionally framed around validation and readiness rather than threat attribution or confirmed malicious behavior.
Coverage and fidelity depend on local macOS logging configuration, centralized collection, retention, process visibility, and access to user activity context. The source fields do not provide tactics, related techniques, examples, mitigations, or detection pseudocode, so organizations must build and test environment-specific logic.
Analytic 1540
Identify use of 'shutdown', 'reboot', or 'osascript' system shutdown invocations within unified logs and track unexpected shutdown sequences initiated by GUI or script. Cross-reference with user activity or absence thereof.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | bdafb49de51a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1540Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.