Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1852: Analytic 1852

Defender correlates a sandboxed app downloading or receiving opaque/encoded blobs, writing high-entropy content into container/tmp, performing decode/decompress/reassembly, and then executing/loaded as Mach-O or bundle (dlopen) or leveraging JIT/RWX pages to run the decoded payload. Sequence: opaque download or IPC → high-entropy writes/split-file bursts → decode/unarchive → new Mach-O/bundle in tmp → dlopen/posix_spawn or RWX region activity.

MobileAN1852AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN1852 describes an iOS detection analytic for a sandboxed app that receives opaque or encoded content, reconstructs it in temporary storage, and then runs it as executable code or through JIT/RWX memory activity. For leaders, the practical issue is that mobile risk is not only about installed app names; runtime behavior can matter when an app stages and executes content after installation.

Executive priority

Prioritize this as a mobile application integrity and incident-readiness question: can the organization see suspicious runtime payload staging on managed iOS devices, and does it have a decision path for isolating devices, preserving evidence, and protecting associated identities if such behavior appears? This is especially relevant where iOS devices access sensitive business data or regulated systems.

Technical view

Validate whether mobile telemetry can correlate the sequence in the official analytic: opaque download or IPC, high-entropy writes or split-file bursts in the app container/tmp path, decode/decompress/reassembly activity, creation of a Mach-O or bundle in tmp, followed by dlopen, posix_spawn, or RWX/JIT memory activity. Because ATT&CK provides no separate detection text and no relationship context, engineering should treat this as a behavior-correlation pattern rather than a complete rule.

Likely telemetry

  • iOS managed device or mobile EDR telemetry tied to app identity and sandbox/container paths
  • Network download or inter-process communication indicators for opaque or encoded blobs
  • Filesystem events for high-entropy writes, split-file bursts, and temporary directory activity inside app containers
  • Archive, decode, decompress, or reassembly activity where observable
  • Module or executable load evidence, including Mach-O or bundle creation/loading

Detection direction

  • Correlate events as a sequence instead of alerting on any single artifact, since temporary files, compressed content, and high-entropy data may be legitimate.
  • Baseline managed iOS apps that normally download compressed assets, media, models, or updates to reduce false positives.
  • Prioritize alerts where new Mach-O or bundle content appears in tmp and is subsequently loaded or executed by the same sandboxed app.
  • Validate whether the deployed iOS security stack can observe dlopen, posix_spawn, RWX/JIT activity, and app-container file writes; these are common coverage gaps.
  • Document gaps explicitly for SOC triage and compliance evidence, since the ATT&CK object does not provide a finished detection rule.

Mitigation priorities

  • Use managed app inventory and policy controls to limit unapproved or unmanaged apps on devices that access business data.
  • Ensure mobile device management and mobile threat detection coverage is deployed where this behavior would materially affect business risk.
  • Keep iOS and managed applications current to reduce exposure to known platform or app weaknesses, without treating patching as sufficient detection coverage.
  • Define incident response steps for suspicious mobile runtime execution, including device isolation, evidence preservation, app removal decisions, and review of business account sessions or tokens.
  • For high-risk users or sensitive workflows, require stronger mobile access controls and conditional access based on device compliance signals.
Analyst notes and limits

This analytic is most useful as a validation checklist for mobile detection engineering: can the team see a staged-code execution chain inside an iOS app sandbox? It also gives executives a concrete way to ask whether mobile security monitoring goes beyond inventory and compliance posture.

Official detection text, tactics, aliases, labels, and relationship context were not supplied. The object is limited to iOS and should not be generalized to other platforms. Actual observability depends heavily on local MDM, mobile EDR, device supervision, privacy constraints, and available endpoint telemetry.

Official MITRE ATT&CK definition

Analytic 1852

Defender correlates a sandboxed app downloading or receiving opaque/encoded blobs, writing high-entropy content into container/tmp, performing decode/decompress/reassembly, and then executing/loaded as Mach-O or bundle (dlopen) or leveraging JIT/RWX pages to run the decoded payload. Sequence: opaque download or IPC → high-entropy writes/split-file bursts → decode/unarchive → new Mach-O/bundle in tmp → dlopen/posix_spawn or RWX region activity.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
33543057e724e9e7...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 33543057e724…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1852
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use