Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0082: Analytic 0082

Suspicious long-lived or high-throughput connections by non-Apple signed apps or processes not commonly associated with network uploads. Detect background processes using open sockets for data egress.

EnterpriseAN0082AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because it focuses on macOS background processes that may be moving data out of the environment over long-lived or high-throughput network connections, especially when the process is not Apple-signed or is not normally associated with uploads. For leaders, the decision value is whether the organization can distinguish normal macOS application network behavior from suspicious egress before data-loss or investigation timelines depend on incomplete endpoint and network evidence.

Executive priority

Prioritize this as a macOS visibility and data-egress monitoring question. Security leaders should ask whether managed detection, SOC workflows, and incident response retain enough endpoint process context and network telemetry to explain which application opened a connection, how long it persisted, how much data moved, and whether the binary was Apple-signed. This supports resilience, audit evidence, and incident decision-making by reducing uncertainty during suspected data exposure events.

Technical view

For SOC, detection engineering, and IR teams, validate coverage for macOS processes using open sockets for potential data egress. The core analytic idea is to identify long-lived or high-throughput connections initiated by non-Apple signed applications or by processes not commonly expected to upload data. Because no official detection logic or ATT&CK tactic mapping is supplied, implementation should be environment-specific and baseline-driven: inventory normal macOS upload-heavy applications, track code-signing status, correlate process identity with socket activity, and tune thresholds for connection duration and bytes sent.

Likely telemetry

  • macOS endpoint process creation and process metadata
  • Process code-signing or publisher/signature status, including Apple-signed versus non-Apple signed
  • Open socket or network connection telemetry tied to process identity
  • Connection duration, destination, protocol, and volume or bytes sent
  • Baseline data for applications normally associated with uploads in the local environment

Detection direction

  • Validate that macOS network telemetry is process-aware; network-only logs may show egress volume but not which process caused it.
  • Build or confirm baselines for expected upload behavior by application and background service to reduce false positives from legitimate sync, backup, collaboration, browser, or developer tooling activity.
  • Tune on combinations of risk indicators rather than a single threshold: non-Apple signed process, uncommon uploader, long-lived socket, and high outbound throughput.
  • Ensure analysts can quickly review code-signing status, process path, parent process, destination, connection duration, and outbound volume during triage.
  • Document blind spots where unsigned or third-party macOS applications are common, where endpoint telemetry is absent, or where encrypted traffic limits content inspection.

Mitigation priorities

  • First, ensure macOS endpoint telemetry can capture process-to-network relationships and code-signing status.
  • Next, establish an approved inventory or baseline of expected upload-capable applications and background services.
  • Then, tune detections for anomalous long-duration or high-volume outbound connections from non-Apple signed or unusual processes.
  • Prepare IR playbooks for validating suspected macOS data egress, including host containment decision points and evidence preservation.
  • Use findings to inform control improvements such as application governance, endpoint hardening, and monitoring retention requirements without assuming any specific vendor technology.
Analyst notes and limits

This is a detection analytic object, not a technique description. The supplied ATT&CK fields identify macOS as the platform and describe suspicious long-lived or high-throughput network connections by non-Apple signed or unusual uploading processes. No relationships, tactics, aliases, labels, or official detection logic were supplied, so the take is framed around validation and operationalization rather than a specific rule.

The source object provides no official detection query, no tactic mapping, no related techniques, no threat actor context, and no evidence of active exploitation. Local application baselines, endpoint telemetry quality, and business-approved macOS software patterns are required before this analytic can be judged effective or production-ready.

Official MITRE ATT&CK definition

Analytic 0082

Suspicious long-lived or high-throughput connections by non-Apple signed apps or processes not commonly associated with network uploads. Detect background processes using open sockets for data egress.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
8087d2f9a22171bb...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 8087d2f9a221…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0082
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use