AN1120: Analytic 1120
LaunchAgent or launchd recurring jobs initiating data transfer to consistent external IPs or domains with repeat timing signatures.
Analyst context for executives and security teams
This analytic matters because recurring macOS LaunchAgent or launchd jobs that repeatedly transfer data to the same external destinations can indicate automated persistence-enabled data movement. For leaders, the business question is whether the organization can see scheduled macOS activity and outbound network patterns well enough to distinguish approved automation from suspicious recurring transfer behavior.
Executive priority
Prioritize this as a visibility and response-readiness check for macOS estates. It supports decisions about endpoint telemetry coverage, outbound network monitoring, and incident triage evidence. Because no tactic or relationship context is supplied, it should not be treated as proof of a specific campaign or impact; instead, use it to validate whether SOC and IR teams can identify repeated external transfer patterns initiated by macOS recurring job mechanisms.
Technical view
Validate whether macOS endpoint data captures LaunchAgent and launchd job execution, job configuration changes, parent-child process context, command-line or process metadata where available, and correlated outbound connections. Detection logic should focus on recurring timing signatures and repeated data transfer to consistent external IPs or domains from LaunchAgent or launchd-initiated activity. Baseline known administrative, backup, MDM, update, synchronization, and enterprise automation jobs before alerting broadly.
Likely telemetry
- macOS LaunchAgent and launchd job configuration data
- macOS process execution metadata tied to recurring jobs
- Command-line or process arguments where collected
- Outbound network connection logs from macOS hosts
- DNS query logs for repeated external domains
Detection direction
- Confirm the SOC can correlate scheduled macOS job activity with outbound connections over time.
- Look for repeat timing signatures rather than one-off network events to reduce noise.
- Tune against known legitimate recurring jobs such as management agents, software updates, backups, synchronization tools, and monitoring utilities.
- Prioritize cases where the same LaunchAgent or launchd-initiated process repeatedly contacts consistent external IPs or domains without an approved business purpose.
- Review blind spots around unmanaged macOS endpoints, limited command-line capture, missing DNS/proxy logs, and short log retention that may hide recurring patterns.
Mitigation priorities
- Inventory approved LaunchAgent and launchd jobs on managed macOS systems.
- Restrict and monitor unauthorized creation or modification of recurring macOS jobs where operationally feasible.
- Maintain endpoint, DNS, proxy, and firewall logging sufficient to reconstruct recurring outbound transfer behavior.
- Apply egress controls and domain/IP allowlisting or review processes where appropriate for sensitive environments.
- Use asset management and MDM policy to reduce unmanaged macOS visibility gaps.
Analyst notes and limits
The supplied object is a detection analytic for macOS. Its core signal is LaunchAgent or launchd recurring jobs initiating data transfer to consistent external IPs or domains with repeat timing signatures. No tactic, official detection procedure, aliases, labels, or relationship context was supplied, so analysis should remain centered on telemetry validation and operational tuning rather than adversary attribution or asserted impact.
This take is limited to the provided ATT&CK fields and external reference. It does not establish active exploitation, a specific ATT&CK tactic, associated techniques, threat groups, malware, or guaranteed detection efficacy. Local environment baselines, approved macOS automation, telemetry retention, and network architecture are required to determine practical coverage.
Analytic 1120
LaunchAgent or launchd recurring jobs initiating data transfer to consistent external IPs or domains with repeat timing signatures.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f4354109524b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1120Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.