Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0402: Analytic 0402

Launchd jobs or user processes invoking symmetric crypto APIs from the Security framework and generating outbound connections carrying randomized payloads inconsistent with normal TLS patterns.

EnterpriseAN0402AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it points to macOS activity where launchd jobs or user processes use Apple Security framework symmetric cryptography APIs while also sending outbound traffic with randomized payloads that do not look like normal TLS. For leaders, the decision value is whether macOS endpoints are instrumented well enough to connect process behavior, crypto API use, and network patterns before an investigation depends on missing evidence.

Executive priority

Prioritize this as a macOS visibility and response-readiness question rather than as a standalone threat claim. Security leaders should ask whether managed detection, SOC, and incident response teams can prove collection of launchd/process telemetry, relevant API or endpoint behavior, and outbound network evidence. This is useful for resilience planning, audit evidence around endpoint monitoring, and deciding whether macOS coverage is materially weaker than Windows or server coverage.

Technical view

Validate whether macOS telemetry can identify launchd jobs and user processes, observe or infer use of symmetric crypto APIs from the Security framework, and correlate that activity with outbound connections whose payload characteristics are inconsistent with expected TLS patterns. Because ATT&CK provides no tactics, relationships, or official detection logic for this analytic, teams should treat it as a behavior-correlation requirement and tune against known enterprise macOS applications that legitimately perform encryption and custom network communication.

Likely telemetry

  • macOS process execution telemetry, including launchd job context where available
  • Endpoint telemetry showing loaded frameworks, API usage, or behavioral indicators related to the Security framework
  • Outbound network connection metadata from macOS hosts
  • Network inspection or flow evidence sufficient to distinguish normal TLS from unusual randomized payload patterns
  • Process-to-network correlation data linking the generating process to the outbound connection

Detection direction

  • Confirm that macOS endpoint monitoring captures launchd-launched processes and ordinary user processes, not only interactive shell activity.
  • Validate whether crypto-related Security framework activity can be observed directly or inferred reliably from endpoint telemetry.
  • Correlate crypto behavior with outbound connections rather than alerting on encryption API use alone, which may be common in legitimate software.
  • Build allowlists or baselines for approved macOS applications that use encryption and nonstandard network protocols to reduce false positives.
  • Document blind spots where encrypted payload inspection, process-to-network mapping, or launchd visibility is unavailable.

Mitigation priorities

  • First, close telemetry gaps on managed macOS endpoints, especially launchd/process execution and process-to-network correlation.
  • Next, establish baselines for expected TLS and non-TLS outbound behavior from approved macOS applications.
  • Ensure incident response playbooks include collection of launchd configuration, process lineage, and network evidence from macOS systems.
  • Use egress control and monitoring policies to limit and review unexpected outbound destinations or protocols where business requirements allow.
  • Maintain compliance evidence showing that macOS endpoints receive comparable monitoring and investigation coverage to other enterprise platforms.
Analyst notes and limits

The supplied object is a detection analytic, not a technique. It is scoped to macOS and describes a behavioral pattern involving launchd or user processes, Security framework symmetric crypto APIs, and outbound randomized payloads inconsistent with normal TLS. No tactic, relationship context, aliases, labels, or official detection procedure were supplied, so local baselining is essential.

This take is limited to the official STIX fields and external reference provided. It does not establish adversary attribution, active exploitation, impact, prevalence, or guaranteed detection. The ATT&CK object does not provide an official detection query or related techniques, so implementation depends on each environment’s macOS endpoint and network telemetry.

Official MITRE ATT&CK definition

Analytic 0402

Launchd jobs or user processes invoking symmetric crypto APIs from the Security framework and generating outbound connections carrying randomized payloads inconsistent with normal TLS patterns.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e2229c12035d6062...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e2229c12035d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0402
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use