AN1017: Analytic 1017
Execution of ping, traceroute, or network utility tools to external destinations; may include `scutil` or system_profiler.
Analyst context for executives and security teams
This analytic describes macOS execution of common network diagnostic or system information tools—such as ping, traceroute, scutil, or system_profiler—against external destinations. For leaders, the value is not that these tools are inherently malicious; it is that they can reveal when a Mac is being used to test connectivity, inspect network configuration, or gather host details during suspicious activity. Coverage depends heavily on whether endpoint and network telemetry capture command execution and destination context.
Executive priority
Treat this as a validation point for macOS visibility and incident readiness. Security leaders should ask whether the SOC can distinguish routine troubleshooting from unusual external probing or host discovery on managed Macs, and whether that evidence is retained for investigations, audit support, and response decisions. Because ATT&CK provides no tactic, detection logic, or relationship context for this object, it should inform coverage assessment rather than drive standalone blocking decisions.
Technical view
For SOC and detection teams, validate macOS telemetry for process execution involving ping, traceroute, scutil, system_profiler, and similar network utilities, especially when command lines include external destinations. Correlate process, user, parent process, host, timestamp, and network destination evidence. Since no official detection is provided, detections should be locally tuned around baselines for administrators, help desk activity, developer workflows, and automated diagnostics.
Likely telemetry
- macOS endpoint process execution events
- Command-line arguments for network utility and system information tools
- Parent process and user context for executed utilities
- DNS queries or network connection records for external destinations
- EDR or audit logs from managed macOS endpoints
Detection direction
- Confirm that macOS logging captures process name, full command line, user, parent process, and host identity for the named utilities.
- Tune alerts for external destinations, unusual users, unusual parent processes, or execution from unexpected interactive or scripted contexts.
- Baseline legitimate troubleshooting, IT support, monitoring, and inventory activity to reduce false positives.
- Correlate endpoint execution with DNS and egress telemetry; process-only visibility may miss whether an external destination was actually contacted.
- Do not treat ping, traceroute, scutil, or system_profiler execution as malicious by itself; use surrounding activity and local baselines to determine investigative priority.
Mitigation priorities
- Prioritize endpoint telemetry coverage and retention for managed macOS systems before relying on this analytic operationally.
- Maintain clear administrative baselines for diagnostic tool usage by IT, help desk, and engineering teams.
- Use egress visibility and policy controls to improve context around external destinations where appropriate.
- Ensure incident response procedures preserve endpoint command history, process telemetry, and related network evidence.
- Avoid broad blocking of standard diagnostic utilities unless a business-specific risk assessment supports it, because they are commonly used for legitimate operations.
Analyst notes and limits
The object is a detection analytic for the enterprise ATT&CK domain, scoped to macOS, with a short description but no official detection text and no supplied relationships. Its main decision value is as a coverage and tuning prompt for macOS endpoint and network visibility around external connectivity checks and system/network information gathering.
The supplied ATT&CK fields do not specify tactics, techniques, adversary use, detection logic, severity, or mitigations. Any production rule, risk score, or response action requires local environment baselines and supporting telemetry. No active exploitation, attribution, or guaranteed detection coverage is implied.
Analytic 1017
Execution of ping, traceroute, or network utility tools to external destinations; may include `scutil` or system_profiler.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 04522ae5dad9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1017Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.