Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1110: Analytic 1110

Web servers (e.g., httpd) spawning abnormal processes post file upload into /Library/WebServer/Documents or /usr/local/var/www

EnterpriseAN1110AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is a macOS-focused detection idea for a high-risk web server pattern: a web server process such as httpd launching unusual child processes after files are uploaded into common web document directories. For leaders, the value is not the specific process name alone; it is the possibility that a public-facing web service has moved from serving content to executing unexpected code, which can quickly become an incident-response and business-continuity concern.

Executive priority

Prioritize this as a validation item wherever macOS systems host web content under /Library/WebServer/Documents or /usr/local/var/www. Security leaders should ask whether those servers are inventoried, whether process and file activity is logged, and whether the SOC can connect file-upload events to subsequent abnormal process execution. This supports practical decisions around managed detection scope, incident triage readiness, and evidence for control monitoring, but the supplied ATT&CK object does not provide impact, attribution, or active exploitation claims.

Technical view

For SOC and detection engineering teams, validate whether macOS telemetry can show a web server process, for example httpd, spawning child processes that are unusual for the local application baseline after a file is written into /Library/WebServer/Documents or /usr/local/var/www. Because no official detection logic is supplied, teams should define local baselines for expected web server child processes, expected upload paths, service accounts, command lines, file names, and timing relationships between file creation and process execution. Tactics are not specified in the supplied object, so this should be treated as a behavior-specific analytic rather than mapped to a broader ATT&CK tactic without additional context.

Likely telemetry

  • macOS process creation events with parent-child process relationships
  • Command-line arguments and executable paths for web server child processes
  • File creation or modification events under /Library/WebServer/Documents
  • File creation or modification events under /usr/local/var/www
  • Web server access or upload logs, where available

Detection direction

  • Confirm that endpoint or host telemetry captures parent process, child process, command line, executable path, user context, and timestamp on macOS web servers.
  • Correlate file writes into the specified web document directories with web server child-process execution within a short, locally tested time window.
  • Build an allowlist or baseline of normal web server child processes to reduce false positives from legitimate maintenance scripts, content management workflows, or developer tooling.
  • Investigate abnormal interpreters, shells, utilities, or binaries launched by the web server process, but avoid assuming maliciousness without local context and supporting evidence.
  • Validate coverage specifically on macOS web-hosting assets; do not assume equivalent visibility on other platforms because only macOS is supplied for this analytic.

Mitigation priorities

  • Inventory macOS systems that host web content in the specified directories and confirm ownership, exposure, and logging requirements.
  • Restrict write access to web document directories to the minimum required users and services.
  • Harden web server execution context so the service account has limited privileges and limited ability to launch unnecessary programs.
  • Review application upload handling and ensure uploaded content cannot be executed as code where not required.
  • Ensure incident responders have procedures to preserve uploaded files, web logs, process history, and relevant macOS endpoint telemetry.
Analyst notes and limits

The object is a detection analytic, not a technique description. Its decision value is strongest for environments running macOS web servers with writable web directories. The key defensive question is whether teams can join three facts: a file appeared in a web document path, the web server process spawned something unusual, and the behavior deviates from the server’s normal workload.

The official detection field is not provided, tactics are not specified, and no relationships are supplied. This take therefore avoids mapping to specific adversary techniques, campaigns, impacts, or exploitation status. Local application architecture and baseline behavior are required to determine what counts as abnormal.

Official MITRE ATT&CK definition

Analytic 1110

Web servers (e.g., httpd) spawning abnormal processes post file upload into /Library/WebServer/Documents or /usr/local/var/www

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
1671e30f7b775421...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 1671e30f7b77…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1110
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use