AN0425: Analytic 0425
Detects abnormal outbound HTTP/FTP connections by local scripts or binaries outside of standard browser activity, following access to local documents or user data.
Analyst context for executives and security teams
This analytic matters because it focuses on a common business-risk pattern on macOS: a non-browser process reads local documents or user data and then makes outbound HTTP or FTP connections. For leaders, the decision value is whether the organization can distinguish normal user web activity from local scripts or binaries moving data over common protocols.
Executive priority
Prioritize this as a validation point for macOS endpoint visibility, SOC triage readiness, and incident response evidence preservation. The key business question is not simply whether HTTP/FTP traffic is monitored, but whether teams can tie outbound connections back to the local process and recent access to sensitive user files. This supports better decisions during suspected data exposure events and helps identify gaps in endpoint, network, and compliance evidence collection.
Technical view
For SOC and detection teams, validate whether macOS telemetry can correlate three elements: local document or user-data access, the responsible script or binary, and subsequent outbound HTTP or FTP connections. Because the ATT&CK object does not specify tactics or a formal detection procedure, tuning should focus on abnormal process context rather than protocol use alone. Browser traffic should generally be treated differently from local scripts, command-line tools, or uncommon binaries initiating external connections after accessing user data.
Likely telemetry
- macOS process execution telemetry, including script interpreters and local binaries
- File access telemetry for local documents and user data
- Network connection telemetry with destination, protocol, port, process, and user context
- Endpoint security events that link process lineage to file and network activity
- Proxy, firewall, or network logs that can corroborate outbound HTTP/FTP activity
Detection direction
- Confirm that endpoint and network telemetry can be joined by host, user, process, and time window.
- Tune for non-browser processes initiating HTTP or FTP connections shortly after accessing local documents or user data.
- Baseline legitimate macOS automation, backup, sync, developer tooling, and enterprise management activity to reduce false positives.
- Do not rely on network protocol alerts alone; common outbound protocols can look normal without process and file-access context.
- Investigate process lineage, binary location, user context, and destination reputation or ownership where locally available.
Mitigation priorities
- Ensure macOS endpoint logging captures process, file-access, and network-connection context with sufficient retention for incident response.
- Restrict or review unnecessary script and binary execution paths where operationally feasible.
- Apply egress control and monitoring so non-browser outbound HTTP/FTP activity from endpoints is visible and reviewable.
- Review handling and storage of sensitive local documents and user data to reduce exposure if suspicious transfer behavior occurs.
- Document detection evidence and response procedures for suspected data movement from macOS endpoints.
Analyst notes and limits
This is a detection analytic object, not a technique description. The supplied ATT&CK fields identify the platform as macOS and describe the analytic behavior as abnormal outbound HTTP/FTP connections by local scripts or binaries outside standard browser activity after local document or user-data access. No relationship context, tactics, or official detection logic were supplied, so implementation should be based on local telemetry capabilities and approved organizational baselines.
The object provides no formal detection query, no tactic mapping, no related techniques, no examples, and no relationship context. It does not support claims about active exploitation, actor use, prevalence, impact, or guaranteed detection coverage. Local environment evidence is required to define normal browser, script, automation, and enterprise tool behavior.
Analytic 0425
Detects abnormal outbound HTTP/FTP connections by local scripts or binaries outside of standard browser activity, following access to local documents or user data.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a6849cbdd866… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0425Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.