Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0206: Analytic 0206

Execution of AppleScript or Automator services launching `ssh -L`, `socat`, or `launchctl` items that dynamically reroute traffic from one Mac endpoint to another. LaunchAgents used to establish permanent internal tunnels.

EnterpriseAN0206AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic concerns macOS endpoints being used to create internal traffic tunnels, including AppleScript or Automator activity that launches ssh local forwarding, socat, or launchctl-managed items, with LaunchAgents potentially making the tunnel persistent. For leaders, the practical issue is not just a Mac running a suspicious command; it is whether an endpoint can quietly become a relay point inside the organization, weakening network segmentation, incident containment, and visibility.

Executive priority

Prioritize this where macOS systems have access to sensitive internal services, administrative networks, development environments, or regulated data paths. The key business question is whether security teams can prove visibility into macOS persistence and traffic redirection behaviors before an incident, rather than discovering during containment that endpoint-to-endpoint tunnels were not monitored. This is relevant to SOC readiness, incident response scoping, access governance, and audit evidence around endpoint control and internal network monitoring.

Technical view

Validate macOS coverage for AppleScript, Automator, shell process creation, launchctl activity, LaunchAgent creation or modification, and network connections associated with tunneling tools such as ssh local forwarding and socat. Because the ATT&CK object provides no official detection logic and no relationship context, teams should treat this as a detection engineering requirement: correlate script or automation execution with suspicious child processes, persistence artifacts, and unexpected local or internal network listeners. IR teams should be prepared to determine whether observed LaunchAgents are legitimate user or admin automation versus unauthorized persistence for internal traffic rerouting.

Likely telemetry

  • macOS process execution telemetry, including parent-child relationships for AppleScript, Automator, shell, ssh, socat, and launchctl activity
  • File system events for LaunchAgent creation or modification in user and system launch agent locations
  • Command-line arguments where available, especially indicators of local port forwarding or traffic relay behavior
  • Network connection and listening-port telemetry from macOS endpoints
  • Endpoint management or EDR records showing script execution, automation services, and persistence registration

Detection direction

  • Build or validate correlations between AppleScript/Automator execution and subsequent launch of ssh, socat, or launchctl-managed items.
  • Monitor for new or modified LaunchAgents that start network relay or forwarding tools, while accounting for legitimate enterprise management and developer workflows.
  • Tune detections around context: user role, device role, destination, listening port behavior, recurrence, and whether the activity is tied to approved administration.
  • Review blind spots in macOS command-line capture, LaunchAgent file monitoring, and endpoint network visibility; this analytic has no supplied official detection text, so local telemetry quality is decisive.
  • Use incident context to distinguish one-time troubleshooting tunnels from persistent internal rerouting, especially when launchctl or LaunchAgents are involved.

Mitigation priorities

  • Establish an approved-use policy for macOS tunneling, automation, and administrative remote access so SOC teams have a baseline for exceptions.
  • Restrict or monitor persistence mechanisms such as LaunchAgents according to endpoint hardening and least-privilege practices.
  • Ensure macOS endpoint security tooling collects process, command-line, persistence, and network telemetry needed to investigate this behavior.
  • Review internal network segmentation and access paths so a single Mac endpoint cannot unnecessarily relay traffic between sensitive zones.
  • Include this behavior in incident response playbooks for macOS persistence and internal tunneling, including evidence collection from LaunchAgents, process history, and network connections.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for macOS only. It names AppleScript, Automator services, ssh local forwarding, socat, launchctl, and LaunchAgents as relevant behavior. No tactics, technique relationships, aliases, labels, or official detection logic were supplied, so the take focuses on defensive validation rather than mapping to a specific ATT&CK tactic or asserting a known campaign pattern.

This summary is limited to the supplied official STIX fields, external reference, and absence of relationship context. It does not establish prevalence, attribution, active exploitation, impact, or guaranteed detectability. Local environment baselines are required to separate legitimate administrative or developer tunneling from suspicious activity.

Official MITRE ATT&CK definition

Analytic 0206

Execution of AppleScript or Automator services launching `ssh -L`, `socat`, or `launchctl` items that dynamically reroute traffic from one Mac endpoint to another. LaunchAgents used to establish permanent internal tunnels.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
04aa84847e1e31c3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 04aa84847e1e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0206
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use