AN1142: Analytic 1142
Command-line initiated UDP traffic bursts to external reflection amplification ports using built-in scripting or binaries with network anomalies
Analyst context for executives and security teams
This analytic is about spotting macOS hosts that generate command-line initiated bursts of UDP traffic to external ports commonly associated with reflection/amplification behavior. For leaders, the practical concern is not attribution; it is whether a managed endpoint can become part of suspicious high-volume external network activity and whether the SOC has enough endpoint and network evidence to distinguish legitimate administration or testing from abnormal outbound traffic.
Executive priority
Prioritize this as a validation item for macOS visibility and outbound network governance. It can support decisions about EDR coverage on macOS, network monitoring depth, incident triage readiness, and audit evidence for detecting abnormal external communications. Because the ATT&CK object provides no tactic, relationship context, or detection logic, it should not drive conclusions about active threats by itself; it should drive a coverage check.
Technical view
For SOC, detection engineering, and IR teams, validate whether macOS command-line process telemetry can be correlated with outbound UDP network telemetry. The analytic scope is narrow: command-line initiated UDP bursts to external reflection amplification ports using built-in scripting or binaries, with network anomalies. Teams should test whether they can see the initiating process, command-line context, destination IPs, destination ports, traffic volume or burst characteristics, and whether traffic is external versus internal. Since no official detection is provided, local baselining and tuning are required.
Likely telemetry
- macOS process creation events with command-line arguments
- Endpoint network connection or flow records for UDP traffic
- Network flow logs showing destination IP, destination port, protocol, volume, and timing
- Firewall, proxy-equivalent, or network security device logs for outbound UDP where available
- EDR telemetry linking built-in macOS binaries or scripting interpreters to network activity
Detection direction
- Correlate macOS command-line process starts with near-time outbound UDP bursts to external destinations.
- Baseline normal macOS UDP behavior by host role to reduce false positives from legitimate tools, diagnostics, conferencing, VPN, or administrative activity.
- Tune around burst size, frequency, destination diversity, and unusual external ports rather than relying on a single connection event.
- Validate that telemetry preserves command-line details; without them, the analytic loses much of its decision value.
- Confirm the environment can distinguish external reflection/amplification-oriented destinations from internal or approved infrastructure.
Mitigation priorities
- Ensure macOS endpoints in scope have endpoint telemetry capable of capturing process and network context.
- Review outbound UDP egress controls and logging, especially for destinations and ports not required by business operations.
- Maintain an allowlist or expected-use model for macOS systems that legitimately generate UDP traffic bursts.
- Create IR triage steps for a macOS host producing abnormal outbound UDP, including host owner validation, process review, and containment decision criteria.
- Use findings as compliance and readiness evidence only after confirming data retention, alert routing, and analyst response procedures.
Analyst notes and limits
The supplied object is a detection analytic, not a technique, software, campaign, or intrusion set. It is limited to macOS and describes a behavioral pattern involving command-line initiated UDP bursts to external reflection amplification ports. No tactics, relationships, aliases, labels, or official detection text were supplied, so this take focuses on defensive validation rather than threat claims.
No official detection logic, tactic mapping, related ATT&CK objects, adversary associations, or impact claims were provided. Local port definitions, baselines, alert thresholds, and false-positive handling must be determined from the organization’s own telemetry and acceptable-use context.
Analytic 1142
Command-line initiated UDP traffic bursts to external reflection amplification ports using built-in scripting or binaries with network anomalies
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 573e259d50bb… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1142Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.