Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0160: Analytic 0160

Detection of a process or script that accesses a common web service to retrieve content containing obfuscated indicators of a secondary C2 server (dead drop resolver behavior).

EnterpriseAN0160AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it targets “dead drop resolver” behavior: a macOS process or script reaching a common web service to pull content that hides indicators for a secondary command-and-control server. For leaders, the business issue is not the web service itself, but whether attackers can blend C2 discovery into normal-looking web traffic and delay containment decisions.

Executive priority

Prioritize this as a validation question for macOS monitoring and incident response readiness: can the organization distinguish routine access to common web services from scripted retrieval of obfuscated C2 locator content? This supports resilience planning, SOC coverage assessment, and evidence for control reviews around endpoint visibility, network logging, and egress monitoring. Because ATT&CK provides no relationship context or official detection logic here, treat it as a coverage gap to test rather than a confirmed risk level by itself.

Technical view

For SOC, detection engineering, and IR teams, validate macOS visibility for processes or scripts initiating outbound requests to common web services, especially where retrieved content appears unusual, encoded, obfuscated, or used to derive a follow-on network destination. Since no ATT&CK tactics or detection implementation are supplied, detections should be environment-specific and tuned against known business automation, developer tooling, browsers, and management agents that legitimately access web services.

Likely telemetry

  • macOS process execution telemetry, including process name, command line, parent process, user, and script interpreter activity
  • Endpoint network connection telemetry showing outbound web requests from macOS processes
  • Web proxy, secure web gateway, DNS, or firewall logs for access to common web services and subsequent secondary destinations
  • EDR or host logs that can correlate content retrieval activity with later outbound connections
  • Script execution logs or audit records where available for shell, Python, AppleScript, or other macOS scripting contexts

Detection direction

  • Correlate process/script execution on macOS with outbound access to common web services and any near-term connection to a secondary destination derived after that access.
  • Tune carefully for false positives from browsers, collaboration tools, software updaters, developer scripts, CI/CD helpers, and administrative automation that routinely retrieve web-hosted content.
  • Look for suspicious combinations rather than domain access alone: non-browser process, unusual parent process, scripted retrieval, encoded or obfuscated retrieved content indicators, and follow-on C2-like network behavior.
  • Assess blind spots in TLS inspection, proxy logging, endpoint command-line capture, and correlation between endpoint process context and network events.
  • Because no official detection logic is provided, require local baselining and testing before treating alerts as high confidence.

Mitigation priorities

  • Confirm macOS endpoint monitoring captures process, command-line, parent-child, and network context needed to investigate scripted web retrieval behavior.
  • Review egress monitoring and proxy policies for unmanaged or unexpected process access to common web services, while accounting for legitimate business use.
  • Harden and monitor script execution paths on macOS through least privilege, administrative control review, and approved automation practices.
  • Ensure IR playbooks include triage steps for dead drop resolver-like activity: identify the initiating process, retrieved content, user context, and any secondary destinations contacted afterward.
  • Use this analytic as a control-validation scenario in detection engineering and compliance evidence collection rather than as a standalone blocking rule.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic, AN0160, for macOS. It describes dead drop resolver behavior but does not provide official detection logic, tactics, procedures, related techniques, malware, groups, or mitigations. The most defensible use is to guide coverage validation around endpoint-to-network correlation for macOS systems.

This take is limited to the supplied STIX fields, the MITRE external reference, and the absence of relationship context. It does not establish active exploitation, attribution, prevalence, impact, or guaranteed detectability. Local environment telemetry and baselines are required to determine practical priority and alert fidelity.

Official MITRE ATT&CK definition

Analytic 0160

Detection of a process or script that accesses a common web service to retrieve content containing obfuscated indicators of a secondary C2 server (dead drop resolver behavior).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
2c9d443d6bb0e5b6...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 2c9d443d6bb0…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0160
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use