Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0330: Analytic 0330

Ties inbound access to exposed services (ARD/VNC 5900, SSH 22, ScreenSharing, web services) with process crashes in unified logs and abnormal child processes spawned under those services (e.g., bash, curl) to indicate exploitation.

EnterpriseAN0330AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN0330 is a macOS detection analytic for spotting possible exploitation of exposed remote-access or service interfaces by correlating inbound access to services such as ARD/VNC on 5900, SSH on 22, ScreenSharing, or web services with nearby process crashes and unusual child processes such as bash or curl. The business value is that it looks for the point where external service exposure may turn into hands-on system activity, which is important for preserving endpoint integrity, remote administration trust, and incident response speed.

Executive priority

Prioritize this analytic where macOS systems expose remote access or web services, especially systems supporting administration, development, executive users, or operational workflows. Leaders should ask whether macOS service exposure is inventoried, whether unified logs and process telemetry are retained, and whether SOC teams can connect network access, crashes, and process creation quickly enough to support containment decisions and audit evidence.

Technical view

For SOC and detection engineering, validate that macOS telemetry can correlate three evidence types: inbound access to exposed services, crash indicators in unified logs, and abnormal child processes spawned from those service contexts. Because ATT&CK supplies no tactic mapping, relationships, or formal detection logic, teams should implement this as a correlation analytic rather than a single-event alert. Focus review on service processes spawning shells, download utilities, or other unexpected children after inbound access and crash events.

Likely telemetry

  • macOS unified logs, including process crash records
  • Network connection or firewall logs showing inbound access to ARD/VNC 5900, SSH 22, ScreenSharing, or web services
  • Endpoint process creation telemetry with parent-child process relationships
  • Service inventory or exposure data for macOS remote access and web services
  • Timestamps sufficient to correlate inbound access, crashes, and child process execution

Detection direction

  • Confirm visibility into macOS unified logs and process parent-child relationships before assuming this analytic is deployable.
  • Tune correlations around time proximity between inbound service access, crash events, and unusual child process spawning.
  • Review false positives from legitimate remote administration, maintenance scripts, developer workflows, and monitoring tools that may invoke shells or curl under service contexts.
  • Prioritize alerts where multiple signals align, such as inbound access followed by a service crash and then shell or download-tool execution.
  • Document blind spots for unmanaged macOS endpoints, short log retention, encrypted or missing network telemetry, and systems where service exposure is not inventoried.

Mitigation priorities

  • Inventory macOS systems exposing ARD/VNC, SSH, ScreenSharing, or web services and confirm business justification.
  • Reduce unnecessary exposed services and restrict administrative access paths where possible.
  • Ensure macOS unified log and endpoint process telemetry are collected with retention adequate for incident response.
  • Harden and monitor approved remote administration workflows so legitimate activity is distinguishable from abnormal service-spawned processes.
  • Use findings from this analytic to drive incident response triage, service exposure review, and compliance evidence for monitoring of remote access paths.
Analyst notes and limits

This object is a detection analytic, not a technique or software entry. The supplied description supports a macOS-focused correlation use case involving exposed services, unified log crashes, and abnormal child processes. No relationship context, tactic mapping, aliases, labels, or official detection text was supplied, so local implementation details must come from the organization’s telemetry model and service inventory.

The source does not provide formal detection logic, severity, related techniques, threat groups, procedures, or validated coverage assumptions. This take should not be read as evidence of active exploitation, attribution, or guaranteed detectability in any environment.

Official MITRE ATT&CK definition

Analytic 0330

Ties inbound access to exposed services (ARD/VNC 5900, SSH 22, ScreenSharing, web services) with process crashes in unified logs and abnormal child processes spawned under those services (e.g., bash, curl) to indicate exploitation.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
74ff61c2ec4fa0c5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 74ff61c2ec4f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0330
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use