Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0924: Analytic 0924

AppleScript or terminal sessions launch tools (`curl`, `nc`, `ssh`) to external IPs not commonly accessed. Outbound connections are made by LaunchAgents/LaunchDaemons, often masquerading as system services.

EnterpriseAN0924AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about suspicious macOS outbound activity: AppleScript or terminal-launched tools such as curl, nc, and ssh connecting to external IPs that are not normally accessed, especially when initiated by LaunchAgents or LaunchDaemons that appear to masquerade as system services. For leaders, the value is not the tool names alone; it is whether the organization can distinguish normal administrator or automation activity from unusual macOS persistence-driven network behavior.

Executive priority

Prioritize this as a macOS visibility and response-readiness question. If macOS endpoints are in scope for executives, developers, administrators, or privileged users, security leaders should ask whether endpoint and network telemetry can show which process initiated outbound connections, whether LaunchAgents/LaunchDaemons are monitored, and whether SOC playbooks can quickly determine if an unfamiliar external IP connection is approved business activity or requires containment. This supports incident decision-making, audit evidence for endpoint monitoring, and control prioritization for macOS environments.

Technical view

Validate coverage on macOS for process execution, parent-child process context, command-line visibility, LaunchAgent/LaunchDaemon activity, and outbound network connections. The analytic describes AppleScript or terminal sessions launching curl, nc, or ssh to external IPs that are uncommon for the environment, with particular concern when connections originate from LaunchAgents or LaunchDaemons masquerading as system services. Because ATT&CK provides no official detection logic and no tactic mapping for this analytic, teams should treat it as a detection engineering requirement rather than a complete rule.

Likely telemetry

  • macOS endpoint process execution events, including command line where available
  • Parent-child process relationships for AppleScript, terminal sessions, curl, nc, and ssh
  • LaunchAgent and LaunchDaemon creation, modification, load, and execution evidence
  • Outbound network connection logs with destination IP, process, user, host, and timestamp context
  • Asset and user context to identify whether the macOS host or account normally performs administrative, developer, or automation activity

Detection direction

  • Baseline common outbound destinations for macOS hosts before alerting on uncommon external IPs to reduce noise.
  • Correlate network connections with the initiating process and launch mechanism; alerts are more meaningful when curl, nc, or ssh activity is tied to AppleScript, terminal sessions, LaunchAgents, or LaunchDaemons.
  • Review LaunchAgents and LaunchDaemons that use names resembling system services, but avoid relying on name similarity alone because local naming conventions may vary.
  • Tune for legitimate administrative, developer, automation, and support workflows that may use curl, ssh, or terminal sessions.
  • Because no official detection logic is supplied, validate any implemented rule against local telemetry quality, command-line availability, and process-to-network correlation before using it for coverage claims.

Mitigation priorities

  • Ensure macOS endpoints generate and retain sufficient endpoint and network telemetry for process-to-connection investigation.
  • Maintain approved-use baselines for remote administration, automation, and developer tooling on macOS.
  • Monitor LaunchAgent and LaunchDaemon persistence locations and review service-like names that are not part of an approved baseline.
  • Define SOC triage steps for uncommon outbound IP connections from macOS systems, including owner validation, business justification, and escalation criteria.
  • Use findings from tuning and incident review to improve endpoint hardening, administrative access practices, and compliance evidence for macOS monitoring.
Analyst notes and limits

This object is a detection analytic, not a technique description. It is limited to macOS and describes suspicious outbound connections involving AppleScript or terminal sessions, common command-line network tools, and LaunchAgents/LaunchDaemons. No relationships, tactics, aliases, labels, or official detection procedure were supplied, so the take focuses on defensive validation rather than asserting a specific adversary behavior chain.

No official detection content, relationship context, tactic mapping, procedure examples, or attribution is supplied. Local baselines are required to determine what external IPs are uncommon and whether curl, nc, ssh, AppleScript, terminal, LaunchAgent, or LaunchDaemon activity is legitimate in a given environment.

Official MITRE ATT&CK definition

Analytic 0924

AppleScript or terminal sessions launch tools (`curl`, `nc`, `ssh`) to external IPs not commonly accessed. Outbound connections are made by LaunchAgents/LaunchDaemons, often masquerading as system services.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
2cae03a84dd8c332...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 2cae03a84dd8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0924
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use