Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1022: Analytic 1022

LaunchAgents or LaunchDaemons initiate persistent Tor or relay processes that make encrypted outbound connections. May be paired with sandbox bypasses or unsigned executables communicating over SOCKS proxies.

EnterpriseAN1022AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it points to a macOS persistence pattern where LaunchAgents or LaunchDaemons keep Tor or relay-like processes running and making encrypted outbound connections. For leaders, the decision value is not “Tor equals malicious,” but whether the organization can prove it has visibility into macOS persistence locations, process execution, code-signing status, and unusual encrypted egress paths that could bypass normal monitoring.

Executive priority

Prioritize this as a macOS resilience and visibility question: can security teams identify unauthorized persistent services and explain encrypted outbound traffic from endpoints during an incident? It is relevant to SOC readiness, incident response scoping, compliance evidence for endpoint monitoring, and control prioritization around egress governance and unsigned software execution. Because ATT&CK provides no relationship context or detection logic here, local asset criticality and macOS fleet exposure should drive priority.

Technical view

Validate coverage for macOS LaunchAgents and LaunchDaemons that initiate or maintain persistent Tor, relay, or SOCKS-proxy-related processes. SOC and IR teams should confirm they can correlate persistence artifacts with process creation, parent-child process context, executable signing status, network destinations, ports, protocols, and encrypted outbound sessions. Since no official detection is provided, detection engineering should focus on behavior combinations rather than single indicators: persistence mechanism plus long-lived or repeated encrypted egress, unsigned or unexpected executables, and proxy-like communication patterns.

Likely telemetry

  • macOS LaunchAgent and LaunchDaemon file creation, modification, and load events
  • Process execution telemetry with command line, parent process, user context, and persistence source
  • Executable metadata, including code-signing or unsigned binary status where available
  • Endpoint network connection telemetry for encrypted outbound sessions
  • Proxy, firewall, DNS, and egress logs that can show repeated or unusual outbound connectivity

Detection direction

  • Inventory expected LaunchAgents and LaunchDaemons on managed macOS systems and alert on new or unauthorized persistence entries associated with network-capable processes.
  • Tune for combinations of persistence plus encrypted outbound traffic rather than blocking or alerting on Tor-related terms alone, since legitimate privacy or research use may exist in some environments.
  • Correlate unsigned or unexpected executables with persistent launch configuration and outbound connections to reduce false positives.
  • Check whether sandboxing, EDR, or macOS logging gaps prevent visibility into LaunchAgent/LaunchDaemon activity or child network processes.
  • Use local baselines to distinguish approved relay, proxy, developer, or security tooling from unusual persistent outbound behavior.

Mitigation priorities

  • Establish and enforce macOS configuration standards for approved LaunchAgents and LaunchDaemons.
  • Restrict unauthorized persistence creation through endpoint hardening, least privilege, and change control for managed macOS devices.
  • Strengthen application control and code-signing policy for unsigned or unapproved executables where operationally feasible.
  • Review egress governance for endpoints, including proxy policy, firewall controls, and monitoring of encrypted outbound traffic patterns.
  • Prepare IR playbooks to collect persistence artifacts, executable metadata, and network evidence from macOS systems when this behavior is suspected.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for macOS only. It describes LaunchAgents or LaunchDaemons initiating persistent Tor or relay processes with encrypted outbound connections, potentially involving sandbox bypasses or unsigned executables communicating over SOCKS proxies. No tactics, relationships, or official detection logic were supplied, so this take emphasizes validation of telemetry and control coverage rather than a specific detection rule.

This assessment is limited to the provided STIX fields, external reference, and absence of relationship context. It does not establish active exploitation, adversary attribution, prevalence, impact, or guaranteed detectability. Environment-specific baselines are required to separate legitimate proxy, relay, privacy, developer, or security tooling from suspicious behavior.

Official MITRE ATT&CK definition

Analytic 1022

LaunchAgents or LaunchDaemons initiate persistent Tor or relay processes that make encrypted outbound connections. May be paired with sandbox bypasses or unsigned executables communicating over SOCKS proxies.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
7ed12463b21ea3ac...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 7ed12463b21e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1022
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use