Uncommon macOS shell command execution

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2025-06-24

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent
Detection Modules
Detector Tags	Shell Analytics
ATT&CK Tactic	Execution (TA0002)
ATT&CK Technique	Command and Scripting Interpreter: Unix Shell (T1059.004) Command and Scripting Interpreter (T1059)
Severity	Informational

Description

An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor.

Attacker's Goals

An attacker may attempt to execute a malicious shell command on the system.

Investigative actions

Check whether the executing process is benign, and if this was a desired behavior as part of its normal execution flow.
Check the executed shell command (and possible child processes) for malicious actions.

Variations

Uncommon macOS shell command execution by a BAS solution

Synopsis

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

Severity

High

Description

An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor.

Attacker's Goals

An attacker may attempt to execute a malicious shell command on the system.

Investigative actions

Check whether the executing process is benign, and if this was a desired behavior as part of its normal execution flow.
Check the executed shell command (and possible child processes) for malicious actions.

Uncommon macOS shell command execution running a curl / wget in an uncommon way

Synopsis

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

Severity

High

Description

An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor.

Attacker's Goals

An attacker may attempt to execute a malicious shell command on the system.

Investigative actions

Check whether the executing process is benign, and if this was a desired behavior as part of its normal execution flow.
Check the executed shell command (and possible child processes) for malicious actions.

Uncommon macOS shell command execution taking a screenshot

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor.

Attacker's Goals

An attacker may attempt to execute a malicious shell command on the system.

Investigative actions

Check whether the executing process is benign, and if this was a desired behavior as part of its normal execution flow.
Check the executed shell command (and possible child processes) for malicious actions.

Uncommon macOS shell command execution trying to gather information about the system

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor.

Attacker's Goals

An attacker may attempt to execute a malicious shell command on the system.

Investigative actions

Check whether the executing process is benign, and if this was a desired behavior as part of its normal execution flow.
Check the executed shell command (and possible child processes) for malicious actions.

Uncommon macOS shell command execution loading a kernel extension

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor.

Attacker's Goals

An attacker may attempt to execute a malicious shell command on the system.

Investigative actions

Check whether the executing process is benign, and if this was a desired behavior as part of its normal execution flow.
Check the executed shell command (and possible child processes) for malicious actions.

Uncommon macOS shell command execution, possibly granting file execution permissions

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor.

Attacker's Goals

An attacker may attempt to execute a malicious shell command on the system.

Investigative actions

Check whether the executing process is benign, and if this was a desired behavior as part of its normal execution flow.
Check the executed shell command (and possible child processes) for malicious actions.

Uncommon macOS shell command execution running a process kill command

Synopsis

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

Severity

Low

Description

An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor.

Attacker's Goals

An attacker may attempt to execute a malicious shell command on the system.

Investigative actions

Check whether the executing process is benign, and if this was a desired behavior as part of its normal execution flow.
Check the executed shell command (and possible child processes) for malicious actions.

Uncommon macOS shell command execution executed an AppleScript

Synopsis

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

Severity

Low

Description

An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor.

Attacker's Goals

An attacker may attempt to execute a malicious shell command on the system.

Investigative actions

Check whether the executing process is benign, and if this was a desired behavior as part of its normal execution flow.
Check the executed shell command (and possible child processes) for malicious actions.

Uncommon macOS shell command execution from an unsigned process

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor.

Attacker's Goals

An attacker may attempt to execute a malicious shell command on the system.

Investigative actions

Check whether the executing process is benign, and if this was a desired behavior as part of its normal execution flow.
Check the executed shell command (and possible child processes) for malicious actions.

Uncommon macOS shell command execution of an exceedingly rare process

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An unusual process execution of a shell command on macOS. This action may indicate possible exploitation or shell command execution via a backdoor.

Attacker's Goals

An attacker may attempt to execute a malicious shell command on the system.

Investigative actions

Check whether the executing process is benign, and if this was a desired behavior as part of its normal execution flow.
Check the executed shell command (and possible child processes) for malicious actions.