AN1150: Analytic 1150
Monitor unified logs for manipulation of proxy configurations, DNS resolution, or filtering rules. Adversaries may redirect responses or use trusted domains that later resolve to malicious C2 infrastructure.
Analyst context for executives and security teams
This analytic is about watching macOS unified logs for changes that could alter where network traffic goes or how it is filtered, such as proxy configuration, DNS resolution, or filtering rule manipulation. For leaders, the practical issue is trust in network routing: if endpoint traffic can be redirected or allowed through trusted-looking domains that later resolve to command-and-control infrastructure, normal perimeter assumptions may not be enough.
Executive priority
Prioritize this as a macOS endpoint visibility and incident-readiness question rather than a standalone control. Security leaders should ask whether macOS unified logs are collected, retained, and searchable; whether SOC teams can distinguish approved network configuration changes from suspicious manipulation; and whether incident responders can quickly reconstruct DNS, proxy, and filtering changes during an investigation. This supports resilience, audit evidence, and response confidence where macOS systems are material to the business.
Technical view
For SOC and detection engineering teams, validate collection and parsing of macOS unified logs related to proxy settings, DNS resolution behavior, and filtering rule changes. Because no official detection logic or relationship context is supplied, the analytic should be treated as a telemetry requirement and detection-design prompt. Build or tune detections around unexpected modifications, unusual timing, unapproved processes or users making network configuration changes, and changes that coincide with suspicious network destinations. Confirm baselines for legitimate administrative tooling to reduce false positives.
Likely telemetry
- macOS unified logs
- Endpoint network configuration change events
- Proxy configuration change evidence
- DNS resolution and resolver configuration evidence
- Host filtering or network filtering rule change evidence
Detection direction
- Validate that macOS unified logs are actually collected from relevant endpoints and retained long enough for investigations.
- Create baselines for legitimate proxy, DNS, and filtering rule changes, including expected administrators, management tools, and change windows.
- Alert on unexpected or unauthorized changes to proxy configuration, DNS resolution settings, or filtering rules, especially when made by unusual processes or users.
- Correlate configuration changes with outbound network activity and domain resolution patterns, while avoiding unsupported assumptions about maliciousness from a single change event.
- Account for false positives from device management, VPN clients, security tools, and enterprise network configuration updates.
Mitigation priorities
- Establish approved change paths for macOS proxy, DNS, and filtering configuration, including ownership and change records.
- Restrict who and what can modify network configuration on managed macOS endpoints where operationally feasible.
- Ensure endpoint management and security tooling preserve sufficient logging for proxy, DNS, and filtering changes.
- Use incident response playbooks that include review of recent macOS network configuration changes when investigating suspicious outbound traffic.
- Periodically test whether SOC analysts can retrieve and interpret the relevant unified log evidence.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for macOS and provides a high-level monitoring concept, not a complete detection rule. Its value is strongest as a coverage validation item for organizations with managed macOS fleets and a need to investigate traffic redirection or trusted-domain abuse scenarios.
No tactics, official detection logic, related techniques, adversary relationships, or mitigation mappings were supplied. Local environment baselines are required to determine what changes are suspicious, what telemetry is available, and what level of alerting is appropriate.
Analytic 1150
Monitor unified logs for manipulation of proxy configurations, DNS resolution, or filtering rules. Adversaries may redirect responses or use trusted domains that later resolve to malicious C2 infrastructure.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 111c612cf2f8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1150Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.