AN0598: Analytic 0598
Processes on macOS initiate external connections that consistently transmit data in fixed sizes using LaunchAgents or unexpected users.
Analyst context for executives and security teams
This analytic is about spotting macOS processes that make external network connections and repeatedly send data in fixed-size chunks, especially when launched through LaunchAgents or running under unexpected user accounts. For leaders, the value is not the pattern alone; it is whether the organization can connect macOS endpoint activity, user context, persistence mechanisms, and network telemetry quickly enough to decide whether the behavior is approved software, misconfiguration, or suspicious outbound activity.
Executive priority
Prioritize this as a macOS visibility and response-readiness question. Security leaders should ask whether SOC and IR teams can prove which users and LaunchAgents are allowed to initiate outbound connections, whether fixed-size outbound transmission patterns are observable, and whether exceptions for legitimate tools are documented. This supports operational resilience, audit evidence, and incident triage by reducing uncertainty around unusual macOS outbound behavior.
Technical view
Validate coverage on macOS for process-to-network correlation, LaunchAgent execution context, user identity context, and outbound byte-count patterns over time. Because ATT&CK provides no detection logic or tactic mapping for this analytic, teams should treat it as a detection design prompt rather than a ready rule. Investigations should focus on processes that repeatedly connect externally, transmit consistent data sizes, are started by LaunchAgents, or execute under users that are unexpected for the process or host role.
Likely telemetry
- macOS process creation and process lineage events
- LaunchAgent configuration and execution records
- User account context for running processes
- Outbound network connection metadata from macOS endpoints
- Network flow or proxy records showing destination, timing, and byte counts
Detection direction
- Baseline legitimate macOS applications and LaunchAgents that regularly send fixed-size outbound traffic to reduce false positives.
- Correlate fixed-size outbound transmissions with process name, parent process, LaunchAgent source, signing or trust context where available, and user account.
- Tune for unexpected users launching network-capable processes rather than relying only on destination or byte size patterns.
- Review recurring external connections over time; single events may be noisy without repetition and context.
- Account for blind spots where endpoint telemetry lacks process-to-network attribution or where network devices cannot see per-process context.
Mitigation priorities
- Establish and maintain an inventory of approved macOS LaunchAgents and the users or services expected to run them.
- Limit unnecessary user privileges and review unexpected service or user contexts on macOS endpoints.
- Ensure macOS endpoint monitoring captures process, user, LaunchAgent, and network connection context needed for triage.
- Document approved outbound behavior for managed macOS software so SOC teams can distinguish normal fixed-size transmissions from suspicious patterns.
- Use IR playbooks that include containment and evidence preservation steps for suspicious macOS outbound activity, while avoiding assumptions without local validation.
Analyst notes and limits
The supplied object is a detection analytic for macOS only. It describes a behavioral pattern involving external connections, fixed-size data transmission, LaunchAgents, and unexpected users. No official detection query, tactics, ATT&CK relationships, groups, software, campaigns, or mitigations were supplied, so this take focuses on defensive validation and telemetry requirements.
Coverage and risk significance depend on local macOS fleet composition, endpoint logging depth, network telemetry retention, and known-good LaunchAgent baselines. The object does not support claims about active exploitation, attribution, affected organizations, impact, or guaranteed detection.
Analytic 0598
Processes on macOS initiate external connections that consistently transmit data in fixed sizes using LaunchAgents or unexpected users.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8a7bbca83988… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0598Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.