AN0102: Analytic 0102
Scripting engines (e.g., osascript, Python) initiating HTTPS requests to social media or content-sharing platforms, paired with automated response handling indicative of two-way communication.
Analyst context for executives and security teams
This analytic is relevant because it focuses on macOS scripting engines making HTTPS connections to social media or content-sharing services in a way that may indicate automated two-way communication. For leaders, the decision value is whether the organization can distinguish normal user or developer activity from scripted external communications that could bypass assumptions about trusted web destinations.
Executive priority
Prioritize this as a coverage-validation item for macOS environments where scripting tools are available and outbound web access to consumer or content-sharing platforms is common. The business question is not whether those sites are bad by default, but whether security teams have enough endpoint and network evidence to explain scripted, automated communication when an incident, audit, or policy exception review requires it.
Technical view
SOC and detection teams should validate visibility into macOS scripting engines such as osascript and Python initiating HTTPS requests, especially when paired with evidence of automated response handling. Because ATT&CK provides no formal detection logic and no tactic mapping for this analytic, teams should treat it as a behavioral hypothesis requiring local baselining of legitimate automation, developer workflows, administrative scripts, and user-driven browser traffic.
Likely telemetry
- macOS process execution events for scripting engines such as osascript and Python
- Parent-child process relationships showing what launched the scripting engine
- Command-line arguments or script metadata where collected and permitted
- Network connection telemetry showing outbound HTTPS destinations
- DNS or proxy logs for social media and content-sharing platform access
Detection direction
- Baseline legitimate macOS scripting activity that reaches external HTTPS services before alerting broadly.
- Correlate process telemetry with network, DNS, or proxy records rather than relying only on destination category.
- Tune for scripting-engine initiated traffic instead of normal browser-based access to the same platforms.
- Review false positives from developer tools, IT automation, user productivity scripts, and sanctioned integrations.
- Account for blind spots where encrypted HTTPS, limited command-line capture, or unmanaged macOS endpoints reduce context.
Mitigation priorities
- Confirm macOS endpoint telemetry coverage for process creation, parent process, and outbound network activity.
- Define acceptable-use and exception handling for scripted access to social media or content-sharing services.
- Restrict or monitor unnecessary scripting-engine network access where business workflows allow.
- Improve proxy, DNS, and endpoint log retention so incident responders can reconstruct scripted external communication.
- Document detection assumptions and known gaps for compliance evidence and incident readiness.
Analyst notes and limits
This object is a detection analytic, not a technique description. Its practical value is in validating whether macOS security monitoring can connect scripting-engine execution to HTTPS communications with social or content-sharing platforms and identify automation-like response handling. No relationships were supplied, so this take does not infer associated techniques, campaigns, actors, or impacts.
The supplied ATT&CK fields include a brief description, macOS platform, and external reference, but no official detection text, tactics, mitigations, or relationship context. Local environment baselines are required to determine what is suspicious versus normal.
Analytic 0102
Scripting engines (e.g., osascript, Python) initiating HTTPS requests to social media or content-sharing platforms, paired with automated response handling indicative of two-way communication.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ad2a8f5581ea… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0102Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.