AN0464: Analytic 0464
Process opens /dev/bpf* (libpcap) or loads NetworkExtension filter, then after a crafted inbound packet the same process initiates an outbound connection to the trigger origin.
Analyst context for executives and security teams
This analytic describes a macOS behavior pattern where a process monitors low-level network traffic through /dev/bpf* or a NetworkExtension filter and, after receiving a crafted inbound packet, makes an outbound connection back to the apparent trigger origin. For leaders, the practical issue is that this pattern can indicate network-triggered activity that may not look like a normal user-initiated connection. It matters because macOS endpoint, network, and incident response teams need evidence that links packet capture or filtering behavior to subsequent outbound communications by the same process.
Executive priority
Treat this as a coverage-validation item for macOS security monitoring rather than a standalone risk conclusion. Security leaders should ask whether managed detection, EDR, network monitoring, and incident response workflows can correlate macOS processes that access packet capture or network filtering capabilities with later outbound connections. The business value is in reducing blind spots around unusual network-responsive processes and preserving enough telemetry to support incident decisions, audit evidence, and containment scoping.
Technical view
For SOC and detection engineering teams, the key validation is correlation: identify macOS processes that open /dev/bpf* via libpcap-style access or load/use a NetworkExtension filter, then determine whether the same process initiates an outbound connection after an inbound packet event. Because the ATT&CK object provides no tactic mapping, detection text, or relationship context, this should be implemented as a hypothesis-driven analytic and tuned against known legitimate packet capture, network security, VPN, filtering, and observability tools.
Likely telemetry
- macOS process execution and process identity metadata
- File or device access events involving /dev/bpf*
- NetworkExtension-related load, configuration, or runtime events where available
- Inbound network connection or packet metadata
- Outbound network connection metadata tied to process identity
Detection direction
- Validate whether endpoint telemetry records process-level access to /dev/bpf* on macOS.
- Validate whether NetworkExtension filter activity is visible with enough process and timing context.
- Correlate inbound network events with subsequent outbound connections from the same process, using tight time windows appropriate to the environment.
- Tune for legitimate applications that commonly capture or filter traffic, such as approved network monitoring, VPN, security, or troubleshooting tools.
- Prioritize unusual or unsigned processes, unexpected parent processes, uncommon paths, or processes not approved for packet capture or filtering, if those data fields are available locally.
Mitigation priorities
- Inventory and approve macOS software expected to use packet capture or NetworkExtension filtering capabilities.
- Restrict administrative privileges and software installation paths that allow unapproved network capture or filtering tools to operate.
- Ensure macOS endpoint logging, EDR, and network telemetry can preserve process-to-network correlations for investigations.
- Review security tool, VPN, and observability exceptions so legitimate high-noise sources are documented rather than blindly suppressed.
- Include this behavior in incident response triage playbooks for suspicious macOS network activity, emphasizing evidence preservation and process lineage review.
Analyst notes and limits
This object is an ATT&CK detection analytic, not a technique description. It is limited to macOS and describes a behavioral sequence involving /dev/bpf* or NetworkExtension filtering followed by an outbound connection after a crafted inbound packet. No relationships, tactic mappings, aliases, or official detection guidance were supplied, so local tuning and environment baselining are required.
The supplied ATT&CK fields do not identify a specific adversary, malware family, campaign, impact, tactic, or mitigation. They also do not provide official detection logic. This take should therefore be used to guide telemetry validation and analytic development, not to assert active exploitation or guaranteed detection coverage.
Analytic 0464
Process opens /dev/bpf* (libpcap) or loads NetworkExtension filter, then after a crafted inbound packet the same process initiates an outbound connection to the trigger origin.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0af41083227d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0464Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.