AN2036: Analytic 2036

Detects user-authorized execution of downloaded content or scripts after communication prompts, including browser downloads followed by osascript, shell, or installer execution and subsequent network activity.

EnterpriseAN2036AnalyticObject v1.0 Modified May 12, 2026, 16:30 UTC (UTC+00:00)

This analytic is relevant because it focuses on a common macOS risk pattern: a user approves or initiates activity after a prompt, downloaded content runs, and the system then reaches out to the network. For leaders, the value is not only malware detection; it is validating whether the organization can see the full chain from browser download to script, shell, or installer execution and outbound activity on macOS endpoints.

Executive priority

Prioritize this as a control-validation question for macOS environments: can security teams prove they collect enough endpoint and network evidence to investigate user-authorized downloaded execution? This matters for incident triage, audit evidence around endpoint monitoring, and reducing business disruption from social-engineering-driven execution paths. Because no ATT&CK relationships or tactic mapping are supplied, treat it as a detection engineering and readiness item rather than proof of a specific campaign or threat actor behavior.

Technical view

SOC and detection engineering teams should validate whether macOS telemetry can correlate browser-originated downloads with subsequent execution by osascript, shell processes, or installer activity, followed by network connections. The supplied object does not include an official detection implementation, so teams should build or assess logic around event sequencing, parent/child process context, download provenance where available, and post-execution network activity. IR teams should confirm playbooks can preserve enough evidence to distinguish expected user-installed software from suspicious downloaded scripts or installers.

Likely telemetry

macOS endpoint process execution events
Browser download or file creation evidence for downloaded content
Command-line details for osascript, shell, and installer execution
Parent/child process relationships linking browsers, downloaded files, scripts, shells, or installers
Network connection telemetry following execution

Detection direction

Validate end-to-end correlation from browser download to execution to outbound network activity rather than alerting on isolated osascript, shell, or installer use alone.
Tune for legitimate software installation, developer activity, enterprise management tools, and helpdesk workflows that may create similar macOS execution patterns.
Confirm telemetry includes command-line arguments, process ancestry, file paths, and timing; without these, the analytic may produce weak or non-actionable alerts.
Use network activity after execution as a prioritization signal, but avoid assuming maliciousness without local context and investigation.
Because no official detection text or relationships are supplied, document local assumptions, data dependencies, and test cases before treating this as a production-ready analytic.

Mitigation priorities

First, ensure macOS endpoint logging and network visibility are sufficient to reconstruct the described sequence.
Next, review controls governing execution of downloaded files, scripts, and installers, especially where user approval can enable execution.
Harden user and administrative workflows so routine software installation and script execution are authorized, documented, and distinguishable from unusual activity.
Maintain incident response procedures for collecting process, file, user, and network evidence from macOS systems.
Use awareness and policy controls to reduce risky user approval of unexpected downloads or scripts, while recognizing that the supplied object is a detection analytic and does not prescribe a specific mitigation.

Analyst notes and limits

This object is a MITRE ATT&CK detection analytic for macOS, external ID AN2036, describing detection of user-authorized execution of downloaded content or scripts after communication prompts, including browser downloads followed by osascript, shell, or installer execution and subsequent network activity. No ATT&CK tactic, official detection logic, aliases, labels, or relationship context were supplied.

The source fields are sparse. There is no official detection implementation, no related technique or tactic mapping in the supplied context, and no relationship data. Local environment baselines are required to assess expected macOS software installation, scripting, browser behavior, and network patterns.

Official MITRE ATT&CK definition

Analytic 2036

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Apr 16, 2026, 16:38 UTC (UTC+00:00)
Modified: May 12, 2026, 16:30 UTC (UTC+00:00)
Raw hash: 85ab4ec34f764ead...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	May 12, 2026, 16:30 UTC (UTC+00:00)	Current bundle	`85ab4ec34f76…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN2036
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use