AN0491: Analytic 0491
Flood of incoming TLS or HTTP(S) connections to macOS-hosted services (e.g., MAMP, Apache), causing high CPU usage and system unresponsiveness.
Analyst context for executives and security teams
AN0491 describes a detection analytic concept for a flood of incoming TLS or HTTP(S) connections against services hosted on macOS, such as MAMP or Apache, leading to high CPU usage and potential system unresponsiveness. For leaders, the significance is service availability: even a macOS system that is not a traditional production server can become a business continuity issue if it hosts development, internal, web, or operational services.
Executive priority
Prioritize this where macOS systems host reachable HTTP(S) services or support business-critical workflows. The key executive question is whether the organization knows which macOS-hosted services are exposed, whether they are monitored for availability and resource exhaustion, and whether incident teams can distinguish abnormal connection floods from legitimate traffic spikes. This analytic is most useful as a resilience and monitoring validation item rather than as evidence of a specific adversary or campaign.
Technical view
SOC and IR teams should validate visibility for macOS systems running HTTP(S) or TLS-enabled services and correlate inbound connection volume with host resource symptoms such as high CPU and degraded responsiveness. Because the official object provides no detection logic and no tactic mapping, teams should treat AN0491 as a behavior to operationalize locally: define normal connection baselines per service, monitor abrupt increases in inbound HTTP(S)/TLS sessions, and correlate network-level observations with macOS host performance data.
Likely telemetry
- Network flow or connection logs showing inbound TLS or HTTP(S) connection volume to macOS-hosted services
- Web server access logs from macOS-hosted services such as Apache or MAMP where available
- macOS host performance telemetry, especially CPU utilization and system responsiveness indicators
- Service availability or uptime monitoring for macOS-hosted HTTP(S) services
- Firewall, reverse proxy, or load balancer logs if traffic passes through those controls
Detection direction
- Confirm which macOS assets host HTTP(S) or TLS services; without asset and service inventory, this analytic will be difficult to scope.
- Baseline normal inbound connection rates per macOS-hosted service and alert on sustained or abrupt deviations correlated with high CPU or unresponsiveness.
- Tune for legitimate high-traffic events, internal testing, vulnerability scanning, load testing, or deployment activity to reduce false positives.
- Correlate network connection floods with host-side symptoms; connection volume alone may not indicate service impact.
- Document blind spots where macOS endpoints lack web server logging, network flow visibility, or host performance telemetry.
Mitigation priorities
- Inventory and reduce unnecessary macOS-hosted HTTP(S) service exposure, especially where systems were not intended to act as resilient servers.
- Place exposed services behind appropriate network controls, monitoring, and capacity protections where business use requires availability.
- Ensure macOS service owners have response procedures for resource exhaustion, including escalation, traffic analysis, and service recovery steps.
- Use availability and performance monitoring to generate incident evidence for compliance and resilience reporting where these services support business processes.
- Review whether macOS-hosted services should be migrated to more managed or resilient hosting patterns if availability is material.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a full technique description. It is limited to macOS and to incoming TLS or HTTP(S) connection floods affecting hosted services. No ATT&CK tactic, detection logic, relationships, adversary context, or mitigation text was supplied, so implementation should be based on local architecture, service inventory, and telemetry availability.
Official detection content is not provided, and no relationships were supplied. This take does not imply active exploitation, attribution, impact beyond the described high CPU and unresponsiveness behavior, or guaranteed detection coverage. Local baselines and asset context are required to make the analytic actionable.
Analytic 0491
Flood of incoming TLS or HTTP(S) connections to macOS-hosted services (e.g., MAMP, Apache), causing high CPU usage and system unresponsiveness.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b66a4146ce5f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0491Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.