AN0032: Analytic 0032
Previously unseen applications generating outbound connections with atypical data flow characteristics, such as excessive data with no return response.
Analyst context for executives and security teams
This analytic is about spotting macOS applications that have not been seen before and are making unusual outbound network connections, especially one-way or high-volume data flows with little or no response. For leaders, the value is not attribution; it is an early warning lens for possible data movement, unauthorized tooling, or unexpected software behavior that could affect business continuity and investigation speed.
Executive priority
Prioritize this as a validation point for macOS network visibility and application inventory. Executives and security leaders should ask whether the organization can identify newly observed applications, tie them to endpoints and owners, and review abnormal outbound traffic quickly enough to support incident response, compliance evidence, and data-risk decisions. Because ATT&CK provides no tactic mapping or detection logic here, this should be treated as a coverage and readiness check rather than a complete detection outcome.
Technical view
For SOC, detection engineering, and IR teams, the core validation is whether macOS endpoint and network telemetry can correlate application identity with outbound connection behavior. Focus on baselining known applications, identifying first-seen applications, and flagging atypical outbound data-flow patterns such as excessive outbound volume with little or no inbound response. Since no official detection logic is supplied, teams should define local thresholds, expected business applications, and exception handling before relying on alerts.
Likely telemetry
- macOS endpoint process and application execution records
- Network connection metadata from macOS hosts
- Outbound traffic volume and session-flow characteristics
- Application inventory or software allowlist/baseline data
- Host-to-destination mapping and timestamps for investigation context
Detection direction
- Validate that telemetry can distinguish the application responsible for a macOS outbound connection, not only the host or destination.
- Build or review baselines for previously seen versus newly observed macOS applications.
- Tune for atypical data-flow characteristics, especially high outbound volume with minimal return traffic, while accounting for legitimate backup, sync, update, telemetry, and file-transfer tools.
- Confirm analysts can pivot from an alert to host, user, application path/name, destination, and traffic volume.
- Document blind spots where encrypted traffic, incomplete endpoint logging, NAT/proxy aggregation, or unmanaged macOS devices prevent application-level attribution.
Mitigation priorities
- Maintain accurate macOS application inventory and ownership records.
- Ensure managed macOS endpoints produce sufficient endpoint and network metadata for investigation.
- Use application control, software approval, or change-management processes where appropriate to reduce unknown application execution.
- Review egress monitoring and alert triage workflows for unusual outbound data patterns.
- Create incident response playbooks for investigating newly observed applications with abnormal outbound network behavior.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for macOS only. It describes the behavior to look for but does not provide a formal detection query, tactic mapping, related techniques, data sources, or relationships. Local baselining is essential because the meaning of "previously unseen" and "atypical" depends heavily on the organization’s software estate and normal traffic patterns.
This take is limited to the official STIX fields and the single external reference provided. No active exploitation, adversary attribution, impact outcome, supported non-macOS platform, or guaranteed detection coverage is implied. Detection feasibility depends on local endpoint, network, inventory, and retention capabilities.
Analytic 0032
Previously unseen applications generating outbound connections with atypical data flow characteristics, such as excessive data with no return response.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7a50e5bda248… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0032Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.