AN1059: Analytic 1059
Detects Bonjour-based mDNS enumeration or use of system tools (e.g., dns-sd, nmap) to find active services via multicast probing or targeted scans.
Analyst context for executives and security teams
AN1059 is a macOS-focused detection analytic for spotting Bonjour/mDNS-based service discovery, including use of system tools such as dns-sd or nmap to identify active services through multicast probing or targeted scans. For leaders, the value is visibility: service enumeration can reveal what an actor, tool, or user is trying to map inside an Apple environment before later action occurs.
Executive priority
Prioritize this analytic where macOS systems are material to business operations, executive users, engineering workflows, or regulated environments. The business question is whether the organization can distinguish expected service discovery from suspicious enumeration and produce evidence during an incident. Because ATT&CK provides no tactic mapping, detection logic, or relationships for this object, it should be treated as a coverage-validation item rather than a standalone risk conclusion.
Technical view
SOC and detection teams should validate whether macOS endpoint and network telemetry can show Bonjour/mDNS enumeration and executions of tools named in the analytic, specifically dns-sd and nmap. Since no official detection logic is supplied, teams should build or assess analytics around observable process activity, command-line context where available, and mDNS/Bonjour network behavior. Investigations should compare activity against known administrative, discovery, and troubleshooting workflows before escalating.
Likely telemetry
- macOS process execution events involving dns-sd
- macOS process execution events involving nmap
- Command-line or parent-process context for service discovery tooling, if collected
- Network telemetry showing Bonjour/mDNS multicast probing or targeted service scans
- Host identity and user context for the macOS system generating the activity
Detection direction
- Confirm that macOS telemetry is actually collected from the systems in scope; this analytic is platform-specific to macOS.
- Tune for expected administrative or troubleshooting use of Bonjour/mDNS discovery tools to reduce false positives.
- Correlate tool execution with network evidence of multicast probing or targeted scans when both are available.
- Avoid treating this analytic as complete coverage by itself because the official detection field is not provided.
- Document gaps where endpoint command-line, process lineage, or mDNS/Bonjour network visibility is missing.
Mitigation priorities
- Establish an approved baseline for legitimate Bonjour/mDNS service discovery in macOS environments.
- Limit unnecessary service exposure and discovery where business operations do not require it.
- Ensure SOC runbooks define how to triage macOS service enumeration events and identify authorized administrative activity.
- Use this analytic as supporting evidence in incident response rather than proof of compromise on its own.
- Review logging and retention for macOS endpoint and relevant network telemetry to support investigations and compliance evidence.
Analyst notes and limits
This object is a detection analytic, not a technique or procedure. ATT&CK lists macOS as the platform and describes detection of Bonjour-based mDNS enumeration or use of dns-sd and nmap for service discovery. No tactics, official detection logic, aliases, labels, or relationship context were supplied.
The supplied ATT&CK fields do not provide detection logic, severity, tactic mapping, related techniques, threat groups, campaigns, or evidence of active exploitation. Local baselines are required to determine whether observed Bonjour/mDNS discovery is authorized, suspicious, or benign.
Analytic 1059
Detects Bonjour-based mDNS enumeration or use of system tools (e.g., dns-sd, nmap) to find active services via multicast probing or targeted scans.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 68d568a45b98… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1059Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.