Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1123: Analytic 1123

Detects scripting environments (AppleScript, osascript, curl) or non-native tools performing DNS queries with encoded subdomains, often used for data exfiltration or beaconing.

EnterpriseAN1123AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about a macOS detection opportunity for suspicious DNS activity: scripting environments or tools such as AppleScript, osascript, curl, or other non-native utilities making DNS queries that contain encoded subdomains. For leaders, the practical issue is that DNS can become a quiet path for beaconing or data movement, so coverage depends less on endpoint alerts alone and more on whether the organization can connect macOS process activity with DNS evidence.

Executive priority

Prioritize this as a validation item for macOS-heavy environments, especially where business-critical users, developers, administrators, or regulated data are present. The decision question is whether security teams can prove they collect and correlate macOS process execution with DNS query patterns well enough to support incident triage, exfiltration investigation, and compliance evidence. Because ATT&CK provides no tactic mapping, relationships, or detailed detection logic for this analytic, treat it as a coverage assessment rather than a confirmed high-priority threat by itself.

Technical view

SOC and detection engineering teams should validate whether macOS telemetry can identify scripting or non-native tooling associated with DNS queries containing encoded-looking subdomains. Useful analysis should correlate the initiating process, command context where available, parent process, user, host, destination domain, query volume, query length, character patterns, and timing. Since the official detection field is not provided, teams should avoid assuming a ready-made rule exists and instead test local telemetry quality, expected administrative or developer behavior, and DNS logging completeness.

Likely telemetry

  • macOS process execution telemetry for AppleScript, osascript, curl, and other non-native tools
  • Command-line or script invocation context where collected
  • DNS query logs from endpoint, resolver, or network sensors
  • Host, user, parent process, and timestamp correlation data
  • Domain, subdomain, query length, encoding-like character patterns, and query frequency metadata

Detection direction

  • Validate that DNS queries can be tied back to macOS processes and users, not just resolver-level source IPs.
  • Look for encoded-looking subdomains generated by scripting environments or unusual tools, while tuning for legitimate automation, software update mechanisms, developer workflows, and monitoring scripts.
  • Baseline normal macOS DNS behavior for AppleScript, osascript, curl, and other non-native utilities before applying high-severity alerting.
  • Investigate bursts, repetitive patterns, long or high-entropy subdomains, and unusual domains when associated with scripting activity.
  • Document blind spots where endpoint telemetry, command-line capture, DNS logs, or host-to-DNS correlation are missing.

Mitigation priorities

  • Improve collection first: ensure macOS endpoint and DNS telemetry are retained and can be correlated during incident response.
  • Restrict or monitor unnecessary scripting and non-native tool use where business operations allow, especially on sensitive workstations.
  • Use egress and DNS governance to reduce uncontrolled outbound DNS paths and improve visibility through approved resolvers.
  • Create response playbooks for suspected DNS beaconing or exfiltration that include host isolation criteria, DNS evidence preservation, and user/process review.
  • Use findings from detection testing to support audit evidence for monitoring coverage and incident readiness.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for macOS with a concise description but no official detection logic, tactics, labels, aliases, or relationship context. The strongest supported interpretation is that it guides defenders to monitor macOS scripting or non-native tool-driven DNS queries with encoded subdomains, which may be associated with exfiltration or beaconing.

This take is limited to the supplied STIX fields and external reference. It does not establish active exploitation, attribution, specific ATT&CK techniques, guaranteed detection coverage, or applicability beyond macOS. Local environment baselines and telemetry availability are required to turn this analytic into an operational detection.

Official MITRE ATT&CK definition

Analytic 1123

Detects scripting environments (AppleScript, osascript, curl) or non-native tools performing DNS queries with encoded subdomains, often used for data exfiltration or beaconing.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b474dc01d233a8cc...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b474dc01d233…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1123
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use