AN1006: Analytic 1006
Unexpected inbound or outbound VNC/SSH/Screen Sharing connections from external sources → repeated failed logins followed by success → remote interactive sessions or abnormal file transfers.
Analyst context for executives and security teams
This analytic is about spotting suspicious remote access activity on macOS: unexpected VNC, SSH, or Screen Sharing connections involving external sources, especially when repeated login failures are followed by a successful login and then interactive activity or unusual file transfer. For leaders, the value is confirming whether the organization can distinguish legitimate remote administration from potential unauthorized access before it becomes an incident-response and business-continuity problem.
Executive priority
Prioritize this as a control-validation question for macOS environments that allow remote administration or remote support. Security leaders should ask whether external remote access to macOS systems is expected, approved, logged, and reviewable; whether failed-then-successful login patterns are escalated quickly; and whether file transfer or interactive session evidence is available for incident decisions, audit support, and access governance.
Technical view
SOC and detection teams should validate telemetry for macOS VNC, SSH, and Screen Sharing connections, with emphasis on external source addresses, authentication outcomes, session establishment, and post-login activity. Because ATT&CK provides no separate detection logic for this analytic, teams should build or tune detections around the supplied behavior chain: unexpected inbound or outbound remote access, repeated failed logins followed by success, then remote interactive sessions or abnormal file transfers. Baselines are important because legitimate administration, help desk access, developer workflows, or managed service activity can resemble parts of this pattern.
Likely telemetry
- macOS authentication logs showing failed and successful login attempts
- SSH service logs and connection metadata
- VNC or Screen Sharing session records where available
- Network flow or firewall logs for inbound and outbound remote access connections
- Source and destination IP address context, especially internal versus external classification
Detection direction
- Confirm that macOS systems exposing or using SSH, VNC, or Screen Sharing generate centralized, time-synchronized logs.
- Correlate repeated failed authentication attempts followed by a successful login from the same or related external source.
- Flag unexpected external remote access to macOS assets, while suppressing known approved administration paths only when ownership and change control are clear.
- Review activity after successful login for interactive session behavior or abnormal file transfers.
- Tune for false positives from legitimate remote support, IT administration, developer access, VPN egress ranges, and managed service providers.
Mitigation priorities
- Inventory macOS systems where SSH, VNC, or Screen Sharing is enabled and confirm business justification.
- Restrict remote access exposure to approved networks, managed access paths, or authenticated administrative channels.
- Enforce strong authentication and account controls for remote access to macOS systems.
- Centralize and retain authentication, remote session, and network telemetry needed to investigate failed-then-successful login sequences.
- Establish response procedures for validating whether a remote session was authorized and whether file transfer activity occurred.
Analyst notes and limits
This object is a detection analytic, not a technique or procedure, and it has no supplied relationship context. The strongest defensible interpretation is a macOS-focused detection pattern for suspicious remote access over VNC, SSH, or Screen Sharing involving external sources and authentication anomalies.
ATT&CK supplies no official detection implementation beyond the description, no tactics, no related techniques, no adversary relationships, and no evidence of active exploitation. Local architecture, approved remote administration patterns, logging configuration, and network boundary definitions are required to make this actionable.
Analytic 1006
Unexpected inbound or outbound VNC/SSH/Screen Sharing connections from external sources → repeated failed logins followed by success → remote interactive sessions or abnormal file transfers.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 124a2e9afd71… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1006Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.