Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0784: Analytic 0784

Identifies archive utilities (e.g., ditto, unzip, xar, pkgutil) used to extract payloads to non-standard paths, then correlates with execution or file permission changes (e.g., `chmod +x`) and process spawns from decompressed location.

EnterpriseAN0784AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because archive extraction on macOS is a common way for files to arrive and unpack, but extraction into unusual locations followed by execution or permission changes can be a useful warning sign. For security leaders, the value is not the archive tool itself; it is whether the SOC can connect extraction activity, file permission changes such as executable bits, and subsequent process launches from the decompressed path.

Executive priority

Prioritize this as a macOS endpoint visibility and response-readiness check. Leaders should ask whether managed detection, EDR, and log pipelines can preserve enough process and file activity to reconstruct archive extraction and follow-on execution. It can support incident triage and compliance evidence by showing whether the organization can monitor risky software staging behavior, but the supplied ATT&CK object does not provide tactics, impact, attribution, or active exploitation context.

Technical view

Validate detection logic that identifies macOS archive utilities such as ditto, unzip, xar, and pkgutil extracting payloads to non-standard paths, then correlates that activity with execution from the extracted location or permission changes such as chmod +x. SOC teams should focus on correlation across process creation, command-line arguments, file creation or modification, permission changes, and subsequent child or related process starts. Because no ATT&CK detection text or relationship context is supplied, local baselining is required to define what counts as a non-standard path and to distinguish administrative, developer, installer, or software deployment activity from suspicious staging behavior.

Likely telemetry

  • macOS process creation events for archive utilities including ditto, unzip, xar, and pkgutil
  • Command-line arguments showing extraction source and destination paths
  • File creation or modification events in extraction destinations
  • File permission or mode-change events, especially chmod +x or equivalent executable permission changes
  • Process execution events from decompressed or newly created directories

Detection direction

  • Confirm telemetry coverage on macOS is sufficient to correlate archive extraction, permission changes, and execution over time rather than alerting on a single archive utility invocation.
  • Define and tune organization-specific non-standard extraction paths, accounting for software deployment tools, IT administration, developer workflows, and legitimate installers.
  • Alert with higher confidence when extraction to an unusual path is followed by executable permission changes and process launch from that same decompressed location.
  • Review false positives from package installation, application updates, developer build/test activity, and user-driven archive extraction.
  • Because no tactics or relationships are supplied, avoid mapping this analytic to broader attack conclusions without additional local evidence.

Mitigation priorities

  • Ensure macOS endpoint logging or EDR captures process, command-line, file, and permission-change telemetry needed for this correlation.
  • Standardize approved software installation and package deployment paths so unusual extraction destinations are easier to identify.
  • Harden response playbooks to collect the archive file, extracted contents, destination path, permission changes, and process lineage during triage.
  • Use application control, least privilege, and approved software distribution practices where appropriate to reduce unreviewed execution from ad hoc extracted locations.
  • Periodically test detection content with benign administrative scenarios to tune noise before relying on it for incident escalation.
Analyst notes and limits

This is a detection analytic object, not a technique description. The strongest use is as a validation checklist for macOS endpoint telemetry and correlation logic around archive utilities, decompression destinations, executable permission changes, and execution from decompressed locations.

The supplied object has no official detection narrative, no tactics, no relationships, and no threat actor, campaign, impact, or prevalence context. Any assessment of risk level, maliciousness, or environment exposure requires local telemetry, baselines, and investigation evidence.

Official MITRE ATT&CK definition

Analytic 0784

Identifies archive utilities (e.g., ditto, unzip, xar, pkgutil) used to extract payloads to non-standard paths, then correlates with execution or file permission changes (e.g., `chmod +x`) and process spawns from decompressed location.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
598569d9cbc4ff04...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 598569d9cbc4…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0784
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use