AN0897: Analytic 0897
Office or scripting applications initiating unusual HTTPS traffic to code repository APIs with high outbound-to-inbound ratios. Defender perspective: monitor for sensitive file access in combination with network connections to github.com, gitlab.com, or bitbucket.org.
Analyst context for executives and security teams
This analytic is about a data-loss signal on macOS: office or scripting applications making unusual HTTPS connections to code repository APIs, especially when outbound traffic is much larger than inbound traffic. For leaders, the value is not “GitHub traffic is bad”; it is whether the organization can distinguish normal developer or automation activity from possible sensitive-file movement to services such as github.com, gitlab.com, or bitbucket.org.
Executive priority
Prioritize this where macOS endpoints handle sensitive documents, source code, credentials, regulated data, or business-critical intellectual property. The business question is whether SOC and incident response teams can prove what application accessed sensitive files, what external repository API it contacted, and how much data moved. This supports incident triage, data protection evidence, and control validation without assuming malicious activity from repository traffic alone.
Technical view
For macOS monitoring, validate correlation between process/application context, sensitive file access, and outbound HTTPS connections to code repository domains or APIs. The official analytic highlights office or scripting applications, unusual HTTPS traffic, and high outbound-to-inbound ratios. Because no ATT&CK tactic, relationship context, or formal detection logic is supplied, teams should treat this as a detection design pattern requiring local baselining rather than a complete rule.
Likely telemetry
- macOS process execution and parent/child process context for office and scripting applications
- File access events for sensitive document, source, credential, or other protected paths
- Network connection telemetry showing destination domain, URL/API context where available, protocol, bytes sent, and bytes received
- DNS or proxy logs for github.com, gitlab.com, and bitbucket.org
- Endpoint or network telemetry capable of calculating outbound-to-inbound byte ratios
Detection direction
- Baseline legitimate macOS developer, automation, CI/CD, and user workflows that access GitHub, GitLab, or Bitbucket to reduce false positives.
- Alert on unusual combinations: office or scripting application activity, recent sensitive file access, and HTTPS connections to code repository APIs.
- Tune on data volume and directionality, especially high outbound-to-inbound ratios, rather than domain access alone.
- Validate visibility gaps caused by encrypted HTTPS, limited URL logging, unmanaged macOS devices, or missing file access auditing.
- Use domain and API context conservatively; repository services are common in normal business operations.
Mitigation priorities
- Confirm macOS endpoint telemetry collection for process, file access, and network events before relying on this analytic.
- Define and classify sensitive file locations so detection logic can distinguish higher-risk file access from ordinary user activity.
- Review acceptable use and access controls for code repository services where sensitive business data may be exposed.
- Ensure incident response playbooks can quickly determine user, process, file path, destination service, and data volume.
- Use proxy, endpoint, or data protection controls where appropriate to govern uploads to external repository services.
Analyst notes and limits
This object is a detection analytic, not a technique. It provides a concise behavior description but no formal detection query, no tactics, and no relationship context. The strongest defensive use is as a correlation requirement: sensitive file access plus suspicious macOS application behavior plus outbound HTTPS to repository APIs.
The supplied fields support only macOS and the named repository domains. No active exploitation, adversary attribution, impact level, or guaranteed detection coverage is stated. Local baselines and telemetry quality are required to determine whether this behavior is suspicious in a specific environment.
Analytic 0897
Office or scripting applications initiating unusual HTTPS traffic to code repository APIs with high outbound-to-inbound ratios. Defender perspective: monitor for sensitive file access in combination with network connections to github.com, gitlab.com, or bitbucket.org.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2ca159d946ad… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0897Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.