AN1115: Analytic 1115
Observation of LaunchAgents or LaunchDaemons establishing periodic external connections indicative of automated data transfer.
Analyst context for executives and security teams
This analytic is about macOS persistence components, LaunchAgents and LaunchDaemons, making repeated outbound connections that may indicate automated data movement. For leaders, the value is not just “detect a Mac event”; it is validating whether the organization can see scheduled or persistent macOS processes communicating externally before they become a data-loss, investigation, or compliance-evidence problem.
Executive priority
Prioritize this where macOS systems handle sensitive data, executive activity, engineering assets, or regulated information. The business question is whether SOC and incident response teams can prove which persistent macOS services are allowed to communicate externally, which are unusual, and whether periodic transfers can be investigated quickly. This supports operational resilience, audit readiness, and data protection decisions, but local asset criticality and telemetry coverage will determine priority.
Technical view
ATT&CK supplies macOS as the platform and describes observation of LaunchAgents or LaunchDaemons establishing periodic external connections. SOC and detection engineering teams should validate visibility into LaunchAgent/LaunchDaemon configuration, process execution context, parent-child process relationships where available, and outbound network activity over time. Because no official detection logic or tactic mapping is provided, teams should treat this as a behavior-based analytic requiring local baselining of legitimate macOS management tools, update agents, backup clients, and business applications that routinely call out.
Likely telemetry
- macOS LaunchAgent and LaunchDaemon file or configuration inventory
- Process execution events for launchd-spawned activity
- Outbound network connection logs from macOS endpoints
- DNS lookup telemetry associated with periodic connections
- Proxy, firewall, or secure web gateway logs showing repeated external destinations
Detection direction
- Baseline approved LaunchAgents and LaunchDaemons that make recurring external connections.
- Correlate persistence location or service identity with repeated outbound network activity rather than alerting on network traffic alone.
- Tune for periodicity, new or modified persistent entries, unusual destinations, and unexpected user or system context.
- Review false positives from software update mechanisms, device management agents, backup/sync tools, and enterprise security software.
- Identify blind spots where macOS endpoint telemetry, DNS, proxy, or firewall logs are not retained long enough to observe periodic behavior.
Mitigation priorities
- Maintain an authorized inventory of macOS LaunchAgents and LaunchDaemons on managed systems.
- Restrict and monitor changes to persistence locations through endpoint management and least-privilege administration.
- Ensure outbound network controls and logging can associate connections with endpoint and process context where possible.
- Use incident response playbooks to review suspicious persistent entries, related network destinations, and affected data paths.
- Document telemetry coverage and review evidence for compliance programs that require monitoring of data movement or endpoint persistence.
Analyst notes and limits
This object is a detection analytic, not a full technique description. The supplied ATT&CK fields provide a narrow behavior: LaunchAgents or LaunchDaemons on macOS making periodic external connections. There are no supplied relationships, tactics, procedure examples, aliases, or official detection steps, so the take focuses on validation questions and evidence classes rather than specific detection logic.
No official detection text, tactic mapping, relationship context, or adversary procedure references were supplied. Conclusions about severity, exploitation, attribution, impact, or coverage require local environment evidence and should not be inferred from this object alone.
Analytic 1115
Observation of LaunchAgents or LaunchDaemons establishing periodic external connections indicative of automated data transfer.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2963a1f600d2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1115Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.