AN0635: Analytic 0635
Applications making outbound connections on non-standard ports or launchd services bound to ports inconsistent with system baselines.
Analyst context for executives and security teams
This analytic is about spotting macOS applications or launchd services communicating in ways that do not match the organization’s expected network baseline, such as outbound connections on unusual ports or services bound to unexpected ports. For leaders, the value is not the port number itself; it is whether the organization can prove what “normal” macOS network behavior looks like and quickly investigate deviations that may affect incident response decisions.
Executive priority
Prioritize this where macOS endpoints are material to business operations, privileged user workflows, development environments, or regulated evidence requirements. The key management question is whether security teams have a defensible baseline for macOS application and launchd network behavior, and whether exceptions can be explained by approved business software rather than discovered only during an incident.
Technical view
SOC and detection teams should validate collection and correlation of macOS network connection activity with process/application context and launchd service information. Because the ATT&CK object provides no tactic, technique relationship, or official detection logic, this should be treated as a baseline-deviation analytic: identify outbound connections on non-standard ports and launchd services bound to ports inconsistent with known-good host or fleet baselines, then enrich with process path, signing status if available locally, parent process, user, host role, and approved software inventory.
Likely telemetry
- macOS endpoint network connection events, including destination port and direction
- Process or application metadata associated with network connections
- launchd service or daemon configuration and runtime state
- Host and fleet baselines for expected listening or bound ports
- Asset role, user context, and approved software inventory for exception handling
Detection direction
- Define what counts as a non-standard or unexpected port by host role and macOS fleet baseline rather than relying only on generic port lists.
- Tune for approved business applications that legitimately use uncommon ports to reduce false positives.
- Correlate unusual outbound ports with the responsible application or process and any related launchd service binding.
- Review drift over time: newly introduced bound ports or application behaviors may be more meaningful than long-standing known exceptions.
- Account for the main blind spot: without endpoint network telemetry and launchd visibility, this analytic may miss the behavior or lack enough context for triage.
Mitigation priorities
- Establish and maintain macOS network behavior baselines for critical user groups and host roles.
- Inventory authorized applications and launchd services that are permitted to bind to or communicate over uncommon ports.
- Use endpoint and network controls to restrict or review unnecessary outbound connectivity where business requirements allow.
- Document approved exceptions so SOC triage and compliance evidence can distinguish expected behavior from anomalies.
- Integrate baseline review into incident response readiness so unusual macOS port activity can be assessed quickly during investigations.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for macOS only. It describes suspicious baseline deviation involving outbound connections on non-standard ports or launchd services bound to inconsistent ports. No tactic, technique relationship, threat actor context, detection pseudocode, or mitigation relationship was supplied, so the take focuses on defensive validation and operational decision value rather than specific adversary behavior.
Official detection content and relationship context were not provided. Port abnormality is environment-dependent, and local asset roles, approved software, endpoint telemetry, and historical baselines are required before this can be treated as high-confidence suspicious activity.
Analytic 0635
Applications making outbound connections on non-standard ports or launchd services bound to ports inconsistent with system baselines.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 85316297ecd2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0635Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.