Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0971: Analytic 0971

Excessive outbound traffic via `ping`, `curl`, or custom scripts indicating flooding behavior, especially with no UI context or user interaction.

EnterpriseAN0971AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic highlights a macOS behavior pattern where unusually high outbound traffic from tools such as `ping`, `curl`, or scripts may indicate flooding activity, particularly when it occurs without an apparent user action or application context. For leaders, the value is not in the tool names themselves, but in validating whether the organization can distinguish legitimate administrative or application traffic from suspicious high-volume outbound activity that could affect network reliability, incident response triage, or acceptable-use/compliance evidence.

Executive priority

Prioritize this as a resilience and visibility question: can security and network teams prove they collect enough macOS endpoint and network telemetry to identify abnormal outbound volume and tie it back to a process, user session, and business context? This matters for SOC readiness, incident decision-making, and audit evidence around monitoring of potentially disruptive traffic. Because the ATT&CK object provides no tactic, relationship, or impact context, it should be treated as a coverage-validation item rather than evidence of a specific campaign or confirmed threat actor behavior.

Technical view

For SOC, detection engineering, and IR teams, validate whether macOS telemetry can correlate outbound traffic volume with process execution, command-line context, parent process, user session state, and UI or user-interaction signals where available. The analytic is centered on excessive outbound traffic involving `ping`, `curl`, or custom scripts. Tuning should separate expected software update, monitoring, troubleshooting, and automation activity from anomalous high-rate outbound behavior, especially when no interactive user context is present. No official detection logic or relationship context was supplied, so local baselining is required.

Likely telemetry

  • macOS process execution events, including process name and command-line arguments where available
  • Parent-child process relationships for shell, script interpreter, `ping`, and `curl` activity
  • Outbound network connection or flow records with destination, protocol, volume, and rate information
  • Endpoint-to-network correlation showing which process or user generated outbound traffic
  • User session or interaction context, where available, to distinguish interactive troubleshooting from unattended activity

Detection direction

  • Baseline normal macOS outbound traffic rates for administrative tools, automation, update mechanisms, and user-driven diagnostics before setting thresholds.
  • Correlate high outbound volume with process identity, command line, parent process, user, host role, and whether there is apparent user interaction.
  • Tune carefully for legitimate IT troubleshooting, health checks, monitoring jobs, and scripted business workflows that may use `ping`, `curl`, or custom scripts.
  • Look for unattended or no-UI-context execution as a prioritization signal, not as a standalone determination of maliciousness.
  • Confirm whether network telemetry can be traced back to a macOS process; network-only alerts may lack enough context for confident triage.

Mitigation priorities

  • Ensure macOS endpoint logging and network monitoring are sufficient to link outbound traffic spikes to process and user context.
  • Define acceptable-use and operational baselines for scripted outbound network activity on macOS systems.
  • Review administrative automation and monitoring scripts so expected high-volume behavior is documented and suppressible with evidence.
  • Apply least-privilege and change-control practices for users, scripts, and automation that can generate large outbound traffic volumes.
  • Prepare IR playbooks for investigating anomalous outbound flooding behavior, including host containment decision points and business-service impact checks.
Analyst notes and limits

This object is a detection analytic, not a technique description. The supplied ATT&CK fields identify macOS as the platform and describe excessive outbound traffic via `ping`, `curl`, or custom scripts, especially without UI context or user interaction. There are no supplied tactics, relationships, aliases, labels, or official detection logic, so the take focuses on validation of monitoring coverage and triage workflow rather than threat attribution or exploit claims.

The source data is sparse: no official detection logic, no ATT&CK tactic, and no relationship context were provided. Any production detection must be adapted to local macOS fleet behavior, administrative tooling, network architecture, and logging availability. This summary does not assert active exploitation, actor use, business impact, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Analytic 0971

Excessive outbound traffic via `ping`, `curl`, or custom scripts indicating flooding behavior, especially with no UI context or user interaction.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e070b18a02e74f08...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e070b18a02e7…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0971
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use