Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0369: Analytic 0369

Detects non-native file transfer via curl, Python scripts, or AppleScript using uncommon protocols like FTP, SMTP, or DNS exfiltration through mDNSResponder abuse.

EnterpriseAN0369AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Analytic 0369 is a macOS-focused detection analytic for spotting non-native file transfer behavior using tools or interpreters such as curl, Python scripts, or AppleScript, especially when uncommon protocols such as FTP, SMTP, or DNS-style exfiltration via mDNSResponder abuse are involved. For leaders, the value is not that these tools are inherently malicious, but that they can become low-friction paths for data movement outside approved channels if endpoint and network telemetry are incomplete.

Executive priority

Treat this as a coverage validation item for macOS data-loss and incident response readiness. Security leaders should ask whether the organization can distinguish approved file transfer activity from unusual protocol use on macOS endpoints, and whether SOC playbooks have enough endpoint and network evidence to investigate suspected exfiltration without relying on a single alert. This is most relevant to managed detection, IR preparedness, compliance evidence around data movement monitoring, and control prioritization for environments with meaningful macOS usage.

Technical view

SOC and detection teams should validate visibility into macOS process execution and network activity involving curl, Python, AppleScript, and mDNSResponder-associated behavior. Because no official detection logic is provided, teams should treat the analytic as a detection objective rather than a ready rule: identify executions of non-native or script-driven file transfer activity, correlate with uncommon protocols such as FTP, SMTP, or DNS-like outbound patterns, and compare against known administrative or business workflows. The supplied object does not specify ATT&CK tactics or related techniques, so local mapping and triage context are required.

Likely telemetry

  • macOS process execution events for curl, Python, AppleScript, and related parent-child process context
  • Command-line arguments or script execution metadata where available
  • Outbound network connection metadata from macOS endpoints
  • Protocol-level or proxy/firewall evidence for FTP, SMTP, and DNS-like traffic
  • DNS and mDNSResponder-related activity logs or network observations

Detection direction

  • Baseline legitimate macOS use of curl, Python, AppleScript, FTP, SMTP, and DNS-related activity before alerting aggressively.
  • Prioritize detections that combine process execution context with uncommon outbound protocol behavior rather than process names alone.
  • Review false positives from developers, administrators, automation, backup tools, and legitimate file-transfer workflows.
  • Validate whether telemetry captures command-line/script details and network destinations; without both, triage quality will be limited.
  • Because no official detection logic or relationship context is supplied, document local assumptions and test against known benign macOS activity.

Mitigation priorities

  • Inventory approved macOS file-transfer methods and expected protocols so monitoring has a defensible baseline.
  • Restrict or monitor unnecessary outbound FTP, SMTP, and unusual DNS-like traffic where business requirements allow.
  • Ensure endpoint logging and network controls cover macOS systems, not only Windows or server environments.
  • Create IR playbook steps for suspected macOS data transfer activity, including host containment, user validation, and network destination review.
  • Use findings to support compliance evidence for monitoring and investigation of sensitive data movement, where applicable.
Analyst notes and limits

This object is a detection analytic, not a technique description. Its decision value is in validating whether macOS endpoint and network telemetry can expose suspicious non-native file transfer behavior involving curl, Python, AppleScript, uncommon protocols, or possible mDNSResponder abuse. No relationships were supplied, so broader ATT&CK technique linkage should not be assumed from this object alone.

The official detection field is not provided, tactics are not specified, and no relationship context is supplied. This take is therefore limited to the stated macOS platform, description, external reference, and analytic metadata. Local environment baselines, approved software use, and network architecture are required to convert this into deployable detections.

Official MITRE ATT&CK definition

Analytic 0369

Detects non-native file transfer via curl, Python scripts, or AppleScript using uncommon protocols like FTP, SMTP, or DNS exfiltration through mDNSResponder abuse.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
19b3c8f65b71f677...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 19b3c8f65b71…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0369
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use