AN0347: Analytic 0347
Processes use base64/xxd/openssl/python Objective‑C APIs to encode data (seen in EndpointSecurity exec events or Unified Logs) → quick outbound connections with large bytes_out or HTTP POSTs carrying Base64/MIME bodies.
Analyst context for executives and security teams
This analytic is about spotting macOS processes that appear to encode data and then quickly send a large amount of outbound traffic or HTTP POST content. For leaders, the practical value is that encoding plus outbound transfer can be a sign that sensitive data is being packaged for movement off the endpoint, so coverage depends on whether endpoint and network telemetry are correlated rather than reviewed in isolation.
Executive priority
Treat this as a validation point for macOS data-loss and incident-response readiness. The key business question is whether the organization can connect process-level activity on Macs with outbound network behavior quickly enough to support containment, investigation, and compliance evidence when unusual data movement is suspected.
Technical view
Validate whether macOS EndpointSecurity exec events or Unified Logs capture executions involving base64, xxd, openssl, python, or Objective-C API-driven encoding activity, and whether those events can be correlated with near-term outbound connections showing high bytes_out or HTTP POSTs with Base64/MIME-like bodies. Because no ATT&CK tactic or relationship context is supplied, treat this as a behavior-level analytic rather than a complete intrusion story.
Likely telemetry
- macOS EndpointSecurity process execution events
- macOS Unified Logs
- Process command-line or execution metadata for encoding-related utilities or APIs
- Outbound network connection metadata, including destination, timing, and bytes_out
- HTTP request metadata, especially POST activity and content-type or body characteristics where available
Detection direction
- Confirm endpoint and network timestamps can be correlated closely enough to link encoding activity to subsequent outbound transfer.
- Tune for sequences rather than single events: encoding utilities alone may be normal for administration, development, packaging, or troubleshooting.
- Review false positives from developer workflows, certificate or cryptographic operations, log processing, and legitimate automation using base64, xxd, openssl, or python.
- Prioritize alerts where large outbound bytes_out or HTTP POST behavior follows encoding activity from unusual users, hosts, parent processes, or destinations.
- Document blind spots where HTTP body inspection, bytes_out fields, command-line capture, or macOS Unified Log collection is unavailable.
Mitigation priorities
- Ensure managed macOS endpoints collect process execution telemetry and retain enough detail for incident review.
- Maintain outbound network logging that includes timing, destination, protocol, method where applicable, and volume indicators such as bytes_out.
- Apply least-privilege and application-control practices where appropriate to reduce unnecessary use of scripting and encoding tools on sensitive systems.
- Use data handling and egress-control policies to limit unsanctioned outbound transfer paths, especially from systems processing regulated or business-critical data.
- Test the analytic with approved benign scenarios to prove correlation, alert routing, and investigation procedures before relying on it operationally.
Analyst notes and limits
The supplied object is a detection analytic for macOS only. It describes a correlation pattern between encoding behavior visible in endpoint logs and outbound transfer indicators. No official detection logic, ATT&CK tactics, related techniques, threat actors, or procedure examples were supplied, so local tuning and environmental baselining are essential.
This take is limited to the supplied STIX fields, external reference, and absence of relationships. It does not establish malicious intent, active exploitation, attribution, impact, or guaranteed detection. It also cannot assess coverage for non-macOS platforms or environments that do not collect the required endpoint and network telemetry.
Analytic 0347
Processes use base64/xxd/openssl/python Objective‑C APIs to encode data (seen in EndpointSecurity exec events or Unified Logs) → quick outbound connections with large bytes_out or HTTP POSTs carrying Base64/MIME bodies.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2dc6d625e070… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0347Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.