AN0146: Analytic 0146

This analytic matters because it points to a macOS behavior pattern that can indicate a user-facing application maintaining unusual, long-running web connections. For leaders, the value is not the analytic name itself, but whether the organization can distinguish normal application traffic from suspicious persistent HTTP(S) sessions when an incident is unfolding.

Executive priority

Prioritize this as a validation question for macOS endpoint and network visibility: can security teams identify which user applications are creating long-lived HTTP(S) sessions, determine whether those sessions are expected, and produce evidence quickly for incident response or audit review? Because no ATT&CK tactic or relationship context is supplied, this should be treated as a coverage and readiness item rather than proof of a specific threat scenario.

Technical view

SOC and detection teams should validate whether macOS telemetry can correlate user application identity with outbound HTTP(S) session duration and traffic irregularity. The analytic description depends on knowing what application initiated the session, whether that application is expected for the user or host, and whether the session pattern is abnormal. Since ATT&CK provides no official detection logic for this object, local baselining and tuning are required.

Likely telemetry

macOS process execution and application launch events
Outbound network connection or session metadata for HTTP(S) traffic
Process-to-network correlation showing which user application initiated the session
Session duration, byte counts, timing, and traffic pattern metadata
Endpoint or network inventory context to distinguish expected applications from unexpected ones

Detection direction

Validate that macOS endpoint and network data can be joined by host, user, process/application, destination, and time.
Baseline normal long-lived HTTP(S) behavior for common user applications before alerting broadly.
Tune for unexpected applications rather than long duration alone, since many legitimate applications maintain persistent web sessions.
Review false positives from browsers, collaboration tools, updaters, sync clients, and enterprise agents.
Document visibility gaps where encrypted traffic, proxying, limited endpoint logging, or missing process-to-network mapping prevents confident triage.

Mitigation priorities

Confirm macOS application inventory and approved-use expectations are maintained for managed endpoints.
Strengthen endpoint telemetry collection before relying on this analytic for response decisions.
Use network egress visibility to identify unusual persistent HTTP(S) sessions and support endpoint investigation.
Ensure incident response playbooks include steps to validate the initiating application, user context, destination, and business justification.
Where policy allows, enforce application control or managed software standards to reduce unexpected user applications initiating persistent network sessions.

Analyst notes and limits

The supplied ATT&CK object is a detection analytic for macOS only. Its official description flags unexpected user applications initiating long-lived HTTP(S) sessions with irregular traffic patterns. No tactics, technique relationships, aliases, labels, or official detection logic were supplied, so the take focuses on defensive validation and telemetry readiness rather than specific adversary behavior.

This assessment is limited to the supplied STIX fields and external reference. There is no relationship context, no ATT&CK tactic mapping, and no official detection implementation. Local baselines, approved application lists, and available macOS/network telemetry are required to determine practical detection value.

Official MITRE ATT&CK definition

Analytic 0146

Flags unexpected user applications initiating long-lived HTTP(S) sessions with irregular traffic patterns.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 3d3830f1eb3e9026...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`3d3830f1eb3e…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0146
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams