AN0877: Analytic 0877

Detects enabling of interface sniffing via packet capture tools or AppleScript triggering `tcpdump`. Leverages Unified Logs and process lineage to identify suspicious use of `pfctl`, `tcpdump`, or `libpcap` libraries.

EnterpriseAN0877AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic matters because packet capture on macOS can expose credentials, session tokens, internal traffic patterns, and sensitive business data moving across the network. For leaders, the key decision is whether the organization can reliably tell the difference between legitimate administration or troubleshooting and suspicious enabling of interface sniffing on managed Macs.

Executive priority

Prioritize this as a control-validation and audit-evidence question for macOS environments: do SOC and IR teams collect the logs needed to prove when packet capture tooling is used, by whom, and from what process chain? Coverage is especially important for privileged endpoints, administrator workstations, developer systems, and incident response workflows where legitimate use of tcpdump, pfctl, or libpcap-based tools may occur but must be accountable.

Technical view

AN0877 is a macOS detection analytic focused on identifying enabling of interface sniffing through packet capture tools or AppleScript-triggered tcpdump activity. Defenders should validate that Unified Logs and process lineage are collected and searchable for suspicious use of pfctl, tcpdump, and libpcap libraries. Because no ATT&CK tactic or detailed detection logic is supplied, implementation should be treated as a local detection engineering exercise: define expected administrative use, capture parent-child process context, user context, privilege context, command execution context where available, and correlate with approved change or troubleshooting activity.

Likely telemetry

macOS Unified Logs related to packet capture, network interface, and security-relevant process activity
Process creation and process lineage telemetry for tcpdump, pfctl, AppleScript-related execution, and libpcap-using processes
User, host, and privilege context for macOS process execution
Endpoint security or EDR events showing command execution and parent-child process relationships
Administrative change records or help desk tickets for legitimate packet capture or network troubleshooting activity

Detection direction

Validate that macOS Unified Logs are actually collected from the endpoints in scope and retained long enough for investigation.
Alert or hunt on suspicious process lineage involving tcpdump, pfctl, AppleScript execution paths, or applications loading libpcap, while separating approved troubleshooting from unusual usage.
Tune for role-based baselines: network engineers and IR staff may legitimately use packet capture tools, but unexpected use on executive, finance, developer, or general-user Macs should receive higher scrutiny.
Correlate packet capture activity with user identity, privilege elevation, host criticality, and nearby suspicious endpoint events rather than relying on tool names alone.
Document blind spots where process lineage, Unified Logs, or endpoint telemetry are unavailable, filtered, or not centrally searchable.

Mitigation priorities

Establish policy and approval expectations for packet capture tooling on managed macOS systems.
Restrict administrative privileges and packet capture capability to users and roles with a documented business need.
Ensure macOS endpoint logging, EDR, and centralized log retention support investigation of packet capture activity and process lineage.
Maintain an allowlist or inventory of approved troubleshooting tools and expected administrative workflows.
Use detection validation exercises to confirm that AppleScript-triggered tcpdump activity and direct use of tcpdump, pfctl, or libpcap-based tools are visible to the SOC.

Analyst notes and limits

The supplied ATT&CK object is a detection analytic, not a full technique description. Its value is strongest as a validation checklist for macOS telemetry and SOC triage around packet capture behavior. Local baselining is important because packet capture tools can be legitimate in administration, troubleshooting, development, and incident response contexts.

No official detection logic, tactics, relationships, aliases, or related ATT&CK objects were supplied. This take is limited to the official description, platform, external reference, and object metadata. Environment-specific risk, prevalence, and detection coverage require local telemetry review.

Official MITRE ATT&CK definition

Analytic 0877

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 99d49c781659ae5a...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`99d49c781659…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0877
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use