Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0639: Analytic 0639

Initial process using NSURLSession or similar APIs reaches out to known staging domains, followed by creation of a reverse shell or RAT connecting to a second unrelated server.

EnterpriseAN0639AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it describes a macOS pattern where an initial process contacts known staging infrastructure using NSURLSession or similar networking APIs, then a reverse shell or remote access tool connects to a different server. For leaders, the value is not the analytic name itself, but the control question it raises: can the organization connect macOS process activity, API-driven network connections, and follow-on outbound command-and-control-like sessions across different destinations?

Executive priority

Prioritize this as a macOS visibility and response-readiness question. If business-critical users or administrators rely on macOS endpoints, executives should ask whether SOC and IR teams can reconstruct outbound connections by process, distinguish expected application traffic from suspicious staging behavior, and preserve evidence needed for incident decisions and audit support. Because ATT&CK provides no tactic mapping, detection logic, or relationship context here, this should be treated as a validation target rather than proof of current exposure or active exploitation.

Technical view

For SOC and detection teams, validate whether macOS telemetry can show an initial process making outbound connections through NSURLSession or similar APIs to known staging domains, followed by creation or execution of a reverse shell or RAT-like process connecting to a second unrelated server. Detection engineering should focus on correlating process lineage, network destination reputation or known staging-domain lists, timing between first and second connections, and whether the second connection is unusual for the host or user. IR teams should confirm they can pivot from domain contact to process metadata, child processes, persistence indicators if present locally, and additional outbound sessions.

Likely telemetry

  • macOS endpoint process creation and parent-child process lineage
  • macOS network connection telemetry with process attribution
  • DNS query logs or secure DNS resolver logs for staging-domain lookups
  • HTTP/TLS proxy or firewall logs showing outbound destinations and timing
  • Endpoint security telemetry capable of identifying remote shell or RAT-like execution patterns

Detection direction

  • Validate correlation across two phases: initial staging-domain contact and later outbound connection to a different unrelated server.
  • Tune for macOS-specific process and network attribution rather than domain-only matching, since domain reputation alone may be incomplete or noisy.
  • Review false positives from legitimate macOS applications using NSURLSession or similar APIs for software updates, telemetry, or cloud services.
  • Confirm whether detection tools retain enough timing, process lineage, and destination context to link the first and second network events.
  • Because no official detection logic is provided, treat this as an analytic design requirement that must be tested against local baselines.

Mitigation priorities

  • Ensure macOS endpoints have process-aware network visibility and retention sufficient for investigation.
  • Restrict or monitor outbound traffic where business-appropriate, especially to newly observed, untrusted, or known staging domains.
  • Maintain and govern threat-intelligence inputs used for staging-domain identification, including expiration and validation processes.
  • Harden endpoint execution controls and review whether remote shell or RAT-like tooling can run without alerting or administrative review.
  • Prepare IR playbooks for macOS cases that require rapid triage of process lineage, outbound connections, and suspected remote access behavior.
Analyst notes and limits

The supplied object is a detection analytic for enterprise ATT&CK, platform macOS, external ID AN0639. It describes a behavioral sequence but provides no official detection field, no ATT&CK tactic, no related techniques, and no relationships. The strongest defensive use is to validate telemetry correlation and response workflow coverage for macOS networked process behavior.

Assessment is limited to the supplied ATT&CK fields and external reference. No attribution, active exploitation, impact level, specific malware family, vendor control, or guaranteed detection coverage is supported by the source data. Local endpoint, DNS, proxy, firewall, and EDR evidence is required to determine whether this behavior is observable in a specific environment.

Official MITRE ATT&CK definition

Analytic 0639

Initial process using NSURLSession or similar APIs reaches out to known staging domains, followed by creation of a reverse shell or RAT connecting to a second unrelated server.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
75027e85b982806b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 75027e85b982…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0639
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use