Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0214: Analytic 0214

AppleScript or system calls to activate WiFi/Bluetooth interfaces (`networksetup`, `blueutil`), followed by exfiltration via AirDrop, cloud sync, or network socket.

EnterpriseAN0214AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it points to a macOS data movement pattern where wireless interfaces such as WiFi or Bluetooth are activated and then used with channels like AirDrop, cloud sync, or network sockets to move data out. For executives and security leaders, the decision value is not just “detect a command,” but whether the organization can prove it has visibility into macOS endpoint configuration changes and nearby or network-based data transfer paths that may bypass traditional perimeter assumptions.

Executive priority

Prioritize this where macOS systems handle sensitive data, regulated information, executive communications, engineering assets, or other material business records. Leaders should ask whether security teams can see and investigate unexpected wireless interface enablement, whether endpoint and network logging supports incident reconstruction, and whether data loss controls account for local wireless transfer methods as well as cloud and socket-based exfiltration. This is especially relevant to resilience, audit evidence, and incident decision-making because weak macOS telemetry can leave a gap between policy and provable control coverage.

Technical view

For SOC, detection engineering, and IR teams, validate visibility on macOS for AppleScript or system calls that activate WiFi or Bluetooth interfaces, specifically activity involving tools or mechanisms such as `networksetup` and `blueutil` as described by the analytic. Because the official object does not provide detection logic or tactics, teams should treat this as a behavioral validation target: correlate wireless interface state changes with subsequent evidence of AirDrop activity, cloud synchronization, or outbound network socket use. Tune carefully for legitimate administration, user troubleshooting, mobility workflows, and approved device-management activity.

Likely telemetry

  • macOS endpoint process execution telemetry for AppleScript, shell activity, `networksetup`, and `blueutil` where available
  • macOS system or configuration logs showing WiFi or Bluetooth interface state changes
  • Endpoint security telemetry linking parent process, user, device, command line, and time of interface activation
  • Network telemetry for outbound connections following interface activation
  • Cloud sync audit logs where managed cloud services are in scope

Detection direction

  • Build correlation around sequence and context: wireless interface activation followed by data transfer indicators such as cloud sync, AirDrop-related evidence, or outbound socket activity.
  • Baseline legitimate macOS administrative and user-driven wireless changes to reduce false positives, especially from help desk actions, travel, office mobility, and MDM workflows.
  • Validate whether command-line visibility includes arguments and parent process context; without this, distinguishing normal interface changes from suspicious automation may be difficult.
  • Use account, device role, data sensitivity, and timing to prioritize alerts, since the supplied ATT&CK object does not specify tactics or adversary procedures.
  • Check for blind spots on unmanaged or lightly monitored macOS endpoints, where AirDrop, Bluetooth, or WiFi changes may not be centrally logged.

Mitigation priorities

  • Confirm macOS endpoint monitoring and MDM coverage before relying on this analytic for assurance.
  • Restrict or govern unauthorized changes to wireless sharing and interface settings where business requirements allow.
  • Apply data handling and data loss controls to sensitive macOS endpoints, including cloud sync governance and local sharing policy review.
  • Maintain auditable exceptions for legitimate administration so SOC teams can distinguish approved changes from unexplained activity.
  • Include this behavior in incident response playbooks for suspected macOS data exfiltration, with steps to preserve endpoint, network, and cloud sync evidence.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for macOS, external ID AN0214, describing activation of WiFi or Bluetooth interfaces through AppleScript or system calls such as `networksetup` and `blueutil`, followed by potential exfiltration via AirDrop, cloud sync, or network socket. No relationship context, tactics, aliases, or official detection logic were supplied, so this take focuses on defensive validation and evidence requirements rather than a specific ATT&CK technique chain.

Official detection content was not provided, and no relationships were supplied. This means detection logic, severity, and coverage cannot be asserted from the source alone. Local macOS logging, MDM configuration, endpoint sensor capability, cloud audit availability, and business-approved wireless workflows are required to determine practical coverage and alert quality.

Official MITRE ATT&CK definition

Analytic 0214

AppleScript or system calls to activate WiFi/Bluetooth interfaces (`networksetup`, `blueutil`), followed by exfiltration via AirDrop, cloud sync, or network socket.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
3a6a8d330a3c49e1...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 3a6a8d330a3c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0214
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use