AN0077: Analytic 0077
Detects applications such as Automator, AppleScript, or LaunchDaemons invoking HTTP/S traffic to non-standard domains or using suspicious headers (e.g., Base64 in URIs or cookie fields).
Analyst context for executives and security teams
This analytic matters because it focuses on macOS automation and persistence-adjacent components making unusual outbound web requests. For a security leader, the decision value is whether the organization can see when built-in macOS mechanisms such as Automator, AppleScript, or LaunchDaemons are used to communicate with unfamiliar domains or with suspicious HTTP/S patterns such as encoded values in URIs or cookies.
Executive priority
Prioritize this as a macOS visibility and response-readiness validation item. It can support decisions about endpoint telemetry coverage, SOC monitoring for non-browser network activity, and incident response triage when trusted local automation mechanisms are involved. Because the supplied ATT&CK object provides no tactic mapping, relationships, or full detection logic, treat it as a coverage-checking analytic rather than a standalone risk conclusion.
Technical view
Validate whether macOS endpoint and network telemetry can connect process context to outbound HTTP/S activity. Detection engineering should specifically test visibility for Automator, AppleScript-related execution, and LaunchDaemons initiating traffic to non-standard or unexpected domains, and should inspect HTTP/S metadata for suspicious headers or encoded-looking values in URI and cookie fields. Tuning should account for legitimate enterprise automation, management tooling, and scripted workflows that may produce unusual web requests.
Likely telemetry
- macOS process execution telemetry showing parent/child process context
- Endpoint telemetry identifying Automator, AppleScript, and LaunchDaemon activity
- Network connection metadata from macOS hosts
- HTTP/S proxy, gateway, or sensor logs with domain, URI, header, and cookie metadata where available
- DNS query logs for domains contacted by macOS automation components
Detection direction
- Confirm that telemetry links outbound HTTP/S requests back to the originating macOS process or service, not only to the host IP.
- Baseline legitimate Automator, AppleScript, and LaunchDaemon network behavior before escalating on non-standard domains.
- Review suspicious HTTP/S indicators such as Base64-like strings in URIs or cookie fields, while avoiding assumptions that encoding alone is malicious.
- Tune for enterprise management tools and sanctioned scripts that may use automation or unusual headers.
- Because no official detection logic is supplied, require local testing with known benign automation and representative endpoint/network logs before relying on this analytic operationally.
Mitigation priorities
- Inventory authorized macOS automation, scripts, and LaunchDaemons so SOC teams have a known-good baseline.
- Restrict or govern unmanaged automation where business processes allow, especially automation that initiates outbound network traffic.
- Ensure endpoint and network controls retain enough process, domain, URI, and header context to support triage.
- Document response playbooks for suspicious macOS automation-driven network activity, including containment and owner validation steps.
- Use the analytic as compliance or audit evidence only after validating that required telemetry is collected and reviewed in the local environment.
Analyst notes and limits
The supplied object is a detection analytic for macOS with a narrow description and no relationship context. Its practical value is strongest as a visibility assessment: can defenders identify trusted macOS automation components making unusual web requests and investigate the associated process and network context?
Official detection content, tactics, related techniques, data sources, and relationships were not provided. This take does not infer attacker intent, active exploitation, attribution, impact, or guaranteed detection coverage. Local baselining is required to determine what is suspicious in a specific macOS environment.
Analytic 0077
Detects applications such as Automator, AppleScript, or LaunchDaemons invoking HTTP/S traffic to non-standard domains or using suspicious headers (e.g., Base64 in URIs or cookie fields).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2be6007735a9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0077Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.