AN0990: Analytic 0990
Detects unauthorized applications or scripts accessing sensitive data followed by establishing encrypted outbound communication to rare external destinations or with abnormal byte ratios.
Analyst context for executives and security teams
AN0990 describes a macOS detection concept for spotting possible sensitive-data access by unauthorized applications or scripts followed by encrypted outbound communication to unusual external destinations or with abnormal traffic ratios. For leaders, the value is not the analytic name itself; it is a test of whether the organization can connect endpoint data-access behavior with network egress evidence quickly enough to investigate potential data loss or unauthorized automation.
Executive priority
Prioritize this as a coverage-validation item for macOS environments that handle sensitive business, customer, or regulated data. The key management question is whether security teams can prove they know which applications are authorized to access sensitive data and can correlate that access with suspicious encrypted outbound traffic. This supports incident decision-making, audit evidence for monitoring controls, and budget decisions around endpoint visibility, egress monitoring, and application governance.
Technical view
For SOC and detection engineering teams, validate whether macOS endpoint telemetry can identify applications or scripts accessing sensitive data and whether that activity can be joined to network telemetry showing encrypted outbound sessions to rare destinations or abnormal byte ratios. Because MITRE does not provide a concrete detection query and no tactics or relationships are supplied, teams should treat this as an analytic pattern to operationalize and tune locally rather than a ready-to-run rule.
Likely telemetry
- macOS endpoint process execution and parent-child process context
- File or data-access telemetry for sensitive locations, repositories, or protected data stores
- Application authorization, inventory, allowlist, or management state for macOS software and scripts
- Outbound network connection metadata from endpoint, firewall, proxy, DNS, or network sensors
- TLS or encrypted-session metadata, including destination, timing, volume, and byte ratios
Detection direction
- Confirm that endpoint and network data can be correlated by host, user, process, and time window.
- Define what counts as an unauthorized application or script in the local macOS environment; without this baseline, the analytic will be noisy or incomplete.
- Tune for rare external destinations and abnormal byte ratios using local baselines to reduce false positives from legitimate backups, sync tools, software updates, and managed business applications.
- Validate visibility into encrypted outbound traffic metadata even when payload inspection is unavailable.
- Prioritize alerts where sensitive-data access, lack of application authorization, and unusual encrypted egress occur together.
Mitigation priorities
- Maintain an accurate inventory of approved macOS applications and scripts that may access sensitive data.
- Limit sensitive-data access to authorized users, managed applications, and required business workflows.
- Strengthen egress monitoring and controls for unusual external destinations while preserving business-approved encrypted communications.
- Ensure endpoint logging and network telemetry retention are sufficient for incident response reconstruction.
- Use tabletop or detection-validation exercises to confirm SOC triage steps for suspected unauthorized data access followed by encrypted outbound transfer.
Analyst notes and limits
This object is a detection analytic for macOS with a clear behavioral description but no official detection logic, no tactics, and no relationship context supplied. Its practical value is in validating cross-domain correlation between macOS endpoint activity and encrypted network egress rather than deploying a specific MITRE-provided query.
The supplied ATT&CK fields do not identify related techniques, adversaries, campaigns, impacts, or active exploitation. Local definitions of sensitive data, authorized applications, rare destinations, and abnormal byte ratios are required before this can be assessed for coverage or production alerting.
Analytic 0990
Detects unauthorized applications or scripts accessing sensitive data followed by establishing encrypted outbound communication to rare external destinations or with abnormal byte ratios.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 807383efb7ef… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0990Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.