AN0515: Analytic 0515
Use of native/mac tools (sharing -l, smbutil view, mount_smbfs) or scripts to enumerate SMB shares across many hosts, followed by outbound SMB connections observed in PF/Zeek logs.
Analyst context for executives and security teams
This analytic is about spotting macOS systems that enumerate SMB file shares across many hosts and then make outbound SMB connections. For leaders, the value is validating whether the organization can see suspicious internal discovery from Macs before it becomes broader access to shared data or lateral movement.
Executive priority
Prioritize this where macOS endpoints can access internal file shares, sensitive business repositories, or segmented operational networks. The key business question is whether SOC and incident response teams have enough endpoint and network evidence to distinguish normal administrator or user file-share activity from broad share enumeration across many hosts. This can support resilience, access governance, and audit conversations around monitoring of internal discovery behavior.
Technical view
For macOS, validate visibility into native tool execution involving sharing -l, smbutil view, mount_smbfs, and script-driven SMB share enumeration patterns. Correlate host activity with outbound SMB connections in PF or Zeek logs, especially when a single macOS host queries or connects to many SMB targets. Because ATT&CK provides no tactic mapping, relationship context, or official detection logic for this analytic, teams should treat it as a detection validation starting point rather than a complete rule.
Likely telemetry
- macOS process execution telemetry for native tools and scripts
- Command-line arguments where available
- Outbound SMB network connection logs
- PF firewall logs from relevant macOS or network locations
- Zeek SMB and connection logs
Detection direction
- Baseline normal macOS SMB access by role, subnet, and administrative function before alerting on volume alone.
- Look for one macOS source enumerating or connecting to many SMB hosts in a short period, then correlate with native tool or script execution.
- Tune for known IT administration, backup, file indexing, or helpdesk workflows that may legitimately enumerate shares.
- Check for blind spots where macOS endpoint telemetry lacks command-line capture or where SMB east-west traffic is not visible to PF or Zeek.
- Use this analytic as a correlation pattern: host process evidence plus network SMB fan-out is stronger than either signal alone.
Mitigation priorities
- Confirm least-privilege access to SMB shares and reduce broad share visibility where business need is weak.
- Segment SMB access so macOS endpoints can only reach required file-share services.
- Ensure macOS endpoint logging and network SMB monitoring are enabled in locations where internal discovery would matter.
- Document approved administrative share-enumeration workflows so SOC teams can suppress known-good activity without ignoring unusual sources.
- Prepare incident response triage steps for a macOS host showing broad SMB enumeration, including asset owner validation and review of accessed shares.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for macOS focused on SMB share enumeration using native or scripted methods and follow-on outbound SMB connections visible in PF or Zeek logs. There are no supplied relationships, tactics, aliases, or official detection logic, so the take emphasizes validation of telemetry and correlation rather than a specific detection rule.
This summary is limited to the official STIX fields, external reference, and supplied relationship context. It does not establish adversary use, prevalence, impact, or guaranteed detectability. Local baselines, network architecture, endpoint logging depth, and approved administrative workflows are required to determine material risk and practical alert thresholds.
Analytic 0515
Use of native/mac tools (sharing -l, smbutil view, mount_smbfs) or scripts to enumerate SMB shares across many hosts, followed by outbound SMB connections observed in PF/Zeek logs.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 21ccc4659556… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0515Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.