AN0761: Analytic 0761
Applications or launchd jobs initiating encrypted TLS traffic to rare external hosts. Defender observes unified logs showing ssl/TLS API calls by processes not baseline-approved, and payload entropy suggesting encrypted C2 sessions.
Analyst context for executives and security teams
This analytic is about spotting macOS applications or launchd jobs that make encrypted TLS connections to uncommon external hosts, especially when the process is not part of an approved baseline. For leaders, the practical value is not that TLS is suspicious by itself, but that encrypted outbound traffic can hide command-and-control or unauthorized remote activity unless the organization can tie network behavior back to trusted macOS processes and expected destinations.
Executive priority
Prioritize this as a validation question for macOS endpoint visibility and egress monitoring: can the security team show which processes and launchd jobs are initiating encrypted external traffic, and whether those destinations are normal for the business? This matters for incident triage, managed detection quality, audit evidence around monitoring, and resilience against encrypted communications that may bypass content inspection.
Technical view
ATT&CK provides a macOS-focused analytic description but no formal detection logic. SOC and detection engineering teams should validate whether unified logs, endpoint process telemetry, and network metadata can correlate TLS API usage or encrypted outbound sessions with the initiating application or launchd job. The core analytic concept is rarity and baseline deviation: processes not approved in the local baseline initiating TLS traffic to rare external hosts, with entropy signals suggesting encrypted sessions.
Likely telemetry
- macOS unified logs showing SSL/TLS API activity
- Endpoint process execution and parent/child process context
- launchd job execution and persistence-related configuration evidence
- Outbound network connection metadata, including destination host, domain, IP, port, and timestamp
- Process-to-network correlation from EDR, endpoint logging, or network sensors
Detection direction
- Build or validate a macOS application and launchd baseline before treating rare TLS activity as high confidence.
- Correlate encrypted outbound connections to the responsible process, user context, signing status, and launchd origin where available.
- Tune for legitimate software updaters, enterprise agents, browsers, collaboration tools, developer tools, and security products that commonly initiate TLS to variable destinations.
- Prioritize alerts where an unapproved or unusual process initiates TLS to a rare external host and the activity is new for the device or user.
- Because no official detection logic is supplied, test locally with available telemetry and document gaps where unified logs, process-network correlation, or destination rarity scoring are unavailable.
Mitigation priorities
- Establish and maintain an approved baseline for macOS applications, launchd jobs, and expected outbound destinations.
- Improve macOS endpoint logging and process-to-network correlation before relying on network-only TLS observations.
- Apply egress control and monitoring for unmanaged or unusual external destinations where business operations allow.
- Review launchd job governance and change control so unexpected jobs are investigated quickly.
- Use incident response playbooks that preserve unified logs, process metadata, launchd configuration, and network flow evidence for suspicious encrypted sessions.
Analyst notes and limits
This object is a detection analytic, not a technique or procedure. It is platform-scoped to macOS and describes a behavioral detection idea centered on encrypted TLS traffic from applications or launchd jobs to rare external hosts. No tactics, relationships, aliases, or detailed detection implementation are supplied.
ATT&CK does not provide official detection logic for this analytic, and no relationship context is supplied. Conclusions about maliciousness require local baselines, endpoint and network telemetry quality, and environmental knowledge of approved software and destinations.
Analytic 0761
Applications or launchd jobs initiating encrypted TLS traffic to rare external hosts. Defender observes unified logs showing ssl/TLS API calls by processes not baseline-approved, and payload entropy suggesting encrypted C2 sessions.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d3e38107b18c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0761Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.