AN0905: Analytic 0905
Detects shell-based enumeration of active connections using `netstat`, `lsof -i`, or AppleScript-based system discovery.
Analyst context for executives and security teams
This analytic matters because command-line or AppleScript-based network connection enumeration on macOS can be an early sign that someone is mapping active communications before deciding what to access next. For leaders, the decision value is not that this behavior is automatically malicious, but that macOS endpoint visibility must be strong enough to distinguish normal administration and troubleshooting from suspicious discovery activity during an investigation.
Executive priority
Prioritize this as a visibility and response-readiness check for macOS environments. Security leaders should ask whether SOC and incident response teams can reliably see shell activity, process launches, command arguments, and AppleScript-driven discovery on macOS systems. The business risk is missed early-stage reconnaissance on user workstations or administrative systems, which can delay containment decisions and weaken audit evidence during an incident.
Technical view
AN0905 is a macOS detection analytic for shell-based enumeration of active connections using `netstat`, `lsof -i`, or AppleScript-based system discovery. Because ATT&CK does not provide an official detection implementation or tactic mapping here, teams should treat it as a validation target: confirm whether endpoint telemetry captures process execution, command-line arguments, parent/child process relationships, scripting activity, and interactive shell context for these utilities. Tuning should account for legitimate network troubleshooting by administrators, developers, IT support, and security tools.
Likely telemetry
- macOS process creation events
- Command-line arguments for shell-launched utilities
- Parent and child process relationships involving shells and scripting hosts
- Execution of `netstat` and `lsof -i`
- AppleScript or automation-related execution evidence
Detection direction
- Validate that macOS telemetry includes full command-line capture for `netstat`, `lsof -i`, and related shell execution.
- Baseline legitimate administrative, developer, help desk, and security operations use to reduce false positives.
- Correlate connection-enumeration commands with unusual user context, unexpected parent processes, recent authentication anomalies, or other discovery activity when available.
- Check for blind spots in AppleScript visibility, because script-driven system discovery may not appear the same as direct shell command execution.
- Do not rely on command name alone; validate command arguments, parent process, user role, host role, and timing.
Mitigation priorities
- Improve macOS endpoint logging and EDR collection before depending on this analytic for investigations.
- Limit unnecessary administrative privileges and review who can perform system-level troubleshooting on macOS assets.
- Document approved administrative use of network enumeration tools so SOC teams can tune detections and support audit evidence.
- Ensure incident response playbooks include triage steps for suspicious macOS discovery activity, including user validation and surrounding process review.
- Use security awareness and administrative procedures to reduce unsanctioned script-based system discovery where policy allows.
Analyst notes and limits
The supplied object is a detection analytic, not a technique or procedure example. It identifies macOS-focused detection logic for shell-based active connection enumeration using `netstat`, `lsof -i`, or AppleScript-based discovery. No ATT&CK relationships, tactic mapping, or official detection query were supplied, so this take emphasizes validation, telemetry readiness, and tuning rather than asserting threat behavior or coverage.
No official detection logic, tactic, relationship context, adversary usage, or impact information was supplied. Local environment baselines are required to separate legitimate troubleshooting from suspicious discovery. This assessment should not be interpreted as evidence of active exploitation, attribution, or guaranteed detection coverage.
Analytic 0905
Detects shell-based enumeration of active connections using `netstat`, `lsof -i`, or AppleScript-based system discovery.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e6ab34f3f5fa… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0905Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.