AN0111: Analytic 0111
Inspect unified logs for anomalous DNS resolutions triggered by non-network applications. Flag repeated connections to newly registered or algorithmically generated domains. Correlate with endpoint process telemetry.
Analyst context for executives and security teams
This analytic matters because unusual DNS activity from macOS applications that normally should not initiate network lookups can be an early signal that an endpoint is behaving outside its expected role. For leaders, the decision value is not the analytic name itself, but whether the organization can connect macOS unified logs, DNS evidence, and endpoint process context quickly enough to distinguish benign application behavior from suspicious outbound activity.
Executive priority
Prioritize this as a coverage-validation item for macOS endpoint monitoring and SOC readiness. Security leaders should ask whether DNS visibility includes endpoint-level process context, whether newly registered or algorithmically generated domains can be identified, and whether incident responders can determine which local application triggered the resolution. This supports operational resilience and audit evidence by showing that outbound activity from managed macOS systems is monitored with enough context to support triage.
Technical view
For SOC and detection engineering teams, validate that macOS unified logs are collected and searchable, DNS resolution events can be reviewed, and endpoint process telemetry can be correlated to the application responsible for the lookup. The analytic is focused on anomalous DNS resolutions triggered by non-network applications, repeated connections to newly registered domains, and possible algorithmically generated domains. Because no ATT&CK tactics, relationships, or official detection logic were supplied, teams should treat this as detection-design guidance rather than a complete rule.
Likely telemetry
- macOS unified logs
- DNS resolution telemetry
- Endpoint process telemetry
- Application/process name and path metadata
- Domain reputation or domain age context for newly registered domains
Detection direction
- Validate that macOS unified log collection is enabled, retained, and available to the SOC.
- Correlate DNS resolutions with the originating endpoint process rather than reviewing domain activity alone.
- Tune for applications that are not expected to perform network activity but generate DNS lookups.
- Review repeated resolutions or connections to newly registered or algorithmically generated domains.
- Account for false positives from software updaters, helper processes, enterprise agents, and embedded application components that may legitimately generate DNS traffic.
Mitigation priorities
- Establish baseline visibility for managed macOS endpoints before relying on alerting.
- Ensure endpoint logging and DNS telemetry can be correlated during triage.
- Define expected network behavior for common macOS applications and enterprise-managed agents.
- Use domain age or domain-generation indicators as enrichment, not as the sole basis for escalation.
- Create incident response procedures for investigating the originating process, user context, and recurrence of suspicious DNS activity.
Analyst notes and limits
The supplied object is a MITRE ATT&CK detection analytic, AN0111, for macOS. Its value is strongest as a validation prompt for endpoint/DNS telemetry correlation. No relationship context, tactic mapping, aliases, or official detection implementation were provided, so local engineering is required to translate this into operational logic.
This take is limited to the supplied ATT&CK fields and external reference. It does not assert active exploitation, adversary attribution, business impact, or guaranteed detection coverage. The object does not include a full detection rule, tactic mapping, or related techniques, so environment-specific baselining and testing are required.
Analytic 0111
Inspect unified logs for anomalous DNS resolutions triggered by non-network applications. Flag repeated connections to newly registered or algorithmically generated domains. Correlate with endpoint process telemetry.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5ae6f6a979d6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0111Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.