AN0004: Analytic 0004
Detects osascript, curl, or custom binaries interacting with XMPP/MQTT brokers in unapproved destinations with encrypted payloads or frequent POST-like requests to broker URIs.
Analyst context for executives and security teams
This analytic is relevant because it focuses on macOS activity where built-in scripting, curl, or unknown binaries communicate with XMPP or MQTT broker destinations that are not approved. For leaders, the value is not just spotting a tool name; it is validating whether the organization can distinguish normal macOS automation and developer traffic from suspicious broker-style communications using encrypted payloads or repeated POST-like requests.
Executive priority
Prioritize this as a coverage validation item for macOS monitoring, egress governance, and SOC readiness. The business question is whether teams can prove which XMPP/MQTT broker destinations are authorized, whether macOS endpoints generate usable network and process evidence, and whether exceptions are documented for audit and incident response. Without that baseline, encrypted broker traffic can become a visibility gap even when endpoint tools are deployed.
Technical view
SOC and detection teams should validate macOS telemetry for process execution involving osascript, curl, and non-standard or custom binaries, then correlate those events with outbound connections to XMPP/MQTT broker URIs or destinations. Because ATT&CK does not provide a full detection rule or tactic mapping for this analytic, implementation should focus on local allowlists, destination approval status, request frequency, URI patterns, and whether payload encryption prevents content inspection. IR teams should be prepared to answer which process initiated the connection, whether the destination is approved, and whether the behavior is recurring or isolated.
Likely telemetry
- macOS process execution events for osascript, curl, and unidentified/custom binaries
- Outbound network connection metadata from macOS endpoints
- Proxy, web gateway, firewall, or DNS logs showing broker destinations, URIs, and request frequency
- TLS or encrypted-session metadata where payload inspection is not available
- Asset and application inventory needed to identify approved broker clients and destinations
Detection direction
- Build or validate allowlists for approved XMPP/MQTT broker destinations and expected macOS clients before alerting broadly.
- Correlate process names and binary paths with outbound broker-like traffic rather than relying on network indicators alone.
- Tune for repeated POST-like requests to broker URIs and encrypted payload patterns, while accounting for legitimate automation, development tools, monitoring agents, or business messaging systems.
- Treat custom or unknown binaries contacting unapproved broker destinations as higher-priority triage candidates, especially when paired with osascript or curl activity.
- Document blind spots where endpoint process telemetry, proxy visibility, DNS logging, or encrypted traffic metadata is missing.
Mitigation priorities
- Define and maintain approved XMPP/MQTT broker destinations and business owners.
- Restrict or monitor outbound macOS traffic to unapproved broker destinations using existing egress controls where feasible.
- Improve macOS endpoint logging for process execution and network correlation before relying on this analytic for response decisions.
- Review legitimate uses of osascript and curl on managed macOS systems to reduce false positives and identify unnecessary exposure.
- Ensure exception handling and detection evidence are retained for incident response and compliance review.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for macOS and names specific behaviors: osascript, curl, or custom binaries interacting with XMPP/MQTT brokers in unapproved destinations, with encrypted payloads or frequent POST-like requests. There are no supplied relationships, tactic mappings, aliases, or official detection logic, so this take focuses on defensive validation and evidence requirements rather than a specific rule implementation.
No official detection content, tactic mapping, relationship context, attribution, active exploitation claim, or impact detail was supplied. Local environment knowledge is required to determine approved broker destinations, legitimate macOS automation, expected developer activity, and alert thresholds.
Analytic 0004
Detects osascript, curl, or custom binaries interacting with XMPP/MQTT brokers in unapproved destinations with encrypted payloads or frequent POST-like requests to broker URIs.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e02e10b2e089… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0004Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.