Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN2065: Analytic 2065

Detection identifies execution of scripts or applications containing invisible Unicode payloads reconstructed at runtime, correlated with abnormal AppleScript, JavaScript for Automation, or shell execution and subsequent process or network behavior inconsistent with visible file content.

EnterpriseAN2065AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it focuses on a macOS evasion pattern: scripts or applications whose true payload is hidden in invisible Unicode characters and reconstructed only at runtime. For security leaders, the decision value is whether macOS monitoring can compare what a file appears to contain with what actually executes, especially when AppleScript, JavaScript for Automation, or shell activity follows behavior that does not match the visible content.

Executive priority

Treat this as a control-validation item for macOS endpoint visibility and incident readiness. The business risk is not tied to a named actor or confirmed campaign in the supplied object; it is that hidden-content execution can undermine code review, user inspection, and basic file-content checks. Leaders should ask whether endpoint logging, managed detection, and IR processes can preserve script content, command execution context, child-process activity, and network follow-on behavior well enough to explain what ran and why.

Technical view

Validate macOS detections that correlate three evidence points: files or scripts containing invisible Unicode content, runtime reconstruction or execution through AppleScript, JavaScript for Automation, or shell processes, and subsequent process or network behavior inconsistent with the visible file content. Because the ATT&CK object provides no tactic mapping, relationship context, or detailed detection logic, teams should implement this as a behavior-correlation analytic rather than a single indicator rule.

Likely telemetry

  • macOS endpoint process execution telemetry, including parent/child process relationships
  • Script interpreter activity for AppleScript, JavaScript for Automation, and shell execution
  • File content or metadata inspection capable of identifying invisible Unicode characters in scripts or applications
  • Command-line and script execution context where available
  • Network connection telemetry following suspicious script or application execution

Detection direction

  • Confirm whether current macOS telemetry can identify invisible Unicode characters in files before or at execution time.
  • Correlate suspicious file content with abnormal AppleScript, JavaScript for Automation, or shell execution instead of alerting on Unicode presence alone.
  • Tune for follow-on behavior that is inconsistent with visible file content, such as unexpected child processes or network activity.
  • Account for false positives from legitimate internationalization, formatting, or developer use of Unicode by requiring execution and behavioral correlation.
  • Document gaps where EDR, logging, or file inspection does not retain enough script content or command context for IR reconstruction.

Mitigation priorities

  • Prioritize macOS endpoint visibility for script execution, process lineage, and network follow-on behavior.
  • Apply least-privilege and execution-control practices to reduce unnecessary script and automation execution paths where operationally feasible.
  • Review security monitoring coverage for AppleScript, JavaScript for Automation, and shell usage on managed macOS systems.
  • Ensure incident response procedures preserve suspicious files and execution context so hidden payload reconstruction can be analyzed.
  • Use this analytic as audit evidence only after validating that the required telemetry is collected and retained.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for macOS, external ID AN2065, describing detection of invisible Unicode payloads reconstructed at runtime and correlated with abnormal AppleScript, JavaScript for Automation, shell, process, or network behavior. No relationships, tactics, aliases, labels, or official detection implementation were supplied.

This take is limited to the official STIX fields and the single MITRE external reference. It does not establish active exploitation, attribution, prevalence, impact, or guaranteed detection coverage. Local validation is required to determine whether an organization collects the file-content, script-execution, process, and network telemetry needed for this analytic.

Official MITRE ATT&CK definition

Analytic 2065

Detection identifies execution of scripts or applications containing invisible Unicode payloads reconstructed at runtime, correlated with abnormal AppleScript, JavaScript for Automation, or shell execution and subsequent process or network behavior inconsistent with visible file content.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
1ecc5add250874a3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 1ecc5add2508…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN2065
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use