Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0685: Analytic 0685

Monitor Facetime, iMessage, or SIP client logs for anomalous voice call attempts. Link to subsequent user execution events (downloads, RMM installs) triggered post-call.

EnterpriseAN0685AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it treats unusual macOS voice or messaging call activity as a possible precursor to user-driven follow-on actions, such as downloads or remote management tool installs. For leaders, the decision value is whether the organization can connect communication-app activity to endpoint execution events quickly enough to support help desk triage, SOC escalation, or incident response containment.

Executive priority

Prioritize this where macOS users rely on FaceTime, iMessage, or SIP clients and where social interaction could lead to risky user execution. The business question is not just whether call logs exist, but whether security teams can correlate them with later endpoint activity to distinguish routine communications from suspicious sequences. This supports incident decision-making, user-awareness validation, managed detection requirements, and audit evidence that macOS endpoint telemetry is not a blind spot.

Technical view

For SOC and detection teams, validate whether FaceTime, iMessage, and SIP client logs are available on macOS endpoints and can be correlated with subsequent user execution events. The supplied analytic specifically calls out post-call downloads and remote management/RMM installs, so correlation logic should focus on time-bounded sequences from anomalous call attempts to endpoint execution, installer activity, or downloaded files. Because no tactic, relationship context, or formal detection logic is supplied, local baselining is required to define what counts as anomalous for each user population.

Likely telemetry

  • macOS FaceTime logs or related communication-app artifacts
  • macOS iMessage logs or related communication-app artifacts
  • SIP client logs on macOS where used
  • Endpoint process execution events after the call attempt
  • File download events after the call attempt

Detection direction

  • Confirm the organization actually collects and retains the relevant macOS communication-client logs; many environments may collect endpoint execution telemetry but not call or messaging-client evidence.
  • Build or validate correlation between anomalous call attempts and later user execution events such as downloads or RMM installs, using a time window appropriate to local workflows.
  • Baseline normal FaceTime, iMessage, and SIP usage by user group to reduce false positives from legitimate calls, support activity, conferencing, or approved remote support workflows.
  • Tune alerts around sequence and context rather than a single call event, since the supplied analytic emphasizes linking call activity to subsequent execution.
  • Document blind spots where privacy settings, endpoint logging gaps, unmanaged SIP clients, or limited macOS telemetry prevent reliable correlation.

Mitigation priorities

  • Inventory where FaceTime, iMessage, and SIP clients are used on managed macOS endpoints and decide what logging is acceptable and available.
  • Ensure endpoint detection or device management telemetry captures process execution, downloads, and software installation events on macOS.
  • Define approved remote management/RMM tools and expected installation paths so unexpected post-call installs can be triaged faster.
  • Use user awareness, help desk procedures, and incident response playbooks to handle suspicious call-to-execution sequences without assuming every call is malicious.
  • Review retention and correlation capability across communication logs, endpoint telemetry, and identity/device context so investigations can reconstruct the sequence.
Analyst notes and limits

This is a detection analytic object, not a full ATT&CK technique description. The official description is narrow: monitor FaceTime, iMessage, or SIP client logs for anomalous voice call attempts and link them to later user execution events such as downloads or RMM installs. No relationships, tactic mapping, or official detection logic were supplied, so the most defensible use is as a validation prompt for macOS telemetry and correlation coverage.

The supplied object has no tactic, no related techniques or groups, no official detection implementation, and no relationship context. It supports macOS only. Any judgment about maliciousness, prevalence, attribution, impact, or detection effectiveness requires local telemetry, baselines, and investigation evidence.

Official MITRE ATT&CK definition

Analytic 0685

Monitor Facetime, iMessage, or SIP client logs for anomalous voice call attempts. Link to subsequent user execution events (downloads, RMM installs) triggered post-call.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
1654b2f2b312d74d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 1654b2f2b312…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0685
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use