AN1171: Analytic 1171
Detects Automator, AppleScript, or Terminal executing curl, lftp, or TFTP for binary transfer to untrusted IPs or unusual ports.
Analyst context for executives and security teams
This analytic is about spotting macOS systems where Automator, AppleScript, or Terminal launches common file-transfer utilities such as curl, lftp, or TFTP to move binaries to untrusted IP addresses or unusual ports. For leaders, the value is not just detecting a command-line tool; it is validating whether the organization can see suspicious binary transfer behavior on macOS endpoints before it becomes an incident-response blind spot.
Executive priority
Prioritize this where macOS endpoints support privileged users, developers, administrators, or business-critical workflows. The decision value is confirming that endpoint logging, SOC triage, and incident-response playbooks can distinguish legitimate automation or administrative downloads from suspicious binary transfer activity. Because ATT&CK provides no tactic or relationship context for this object, use it as a coverage validation item rather than as evidence of a specific campaign or impact scenario.
Technical view
Validate macOS telemetry that records process execution lineage from Automator, AppleScript, and Terminal, especially child processes invoking curl, lftp, or TFTP. Detection logic should focus on destination trust and port context: transfers to untrusted IPs, uncommon destinations, or unusual ports. Since no official detection logic is provided, teams should build and tune local analytics using endpoint process events, command-line arguments where available, network connection metadata, and asset/user context.
Likely telemetry
- macOS endpoint process creation events
- Parent-child process relationships involving Automator, AppleScript, or Terminal
- Command-line arguments for curl, lftp, and TFTP executions, where collected
- Network connection metadata including destination IP, port, protocol, and timing
- Destination reputation or internal allowlist context for trusted versus untrusted IPs
Detection direction
- Confirm that macOS EDR or endpoint logging captures process lineage and command-line detail for Automator, AppleScript, Terminal, curl, lftp, and TFTP.
- Define what counts as an untrusted IP and unusual port in the local environment; this cannot be inferred from the ATT&CK object alone.
- Tune for legitimate software updates, developer workflows, scripts, and administrative automation that may use curl or Terminal frequently.
- Prioritize alerts where suspicious transfer utilities are spawned by automation tools or interactive shells and connect to external or nonstandard destinations.
- Review blind spots around privacy controls, incomplete command-line capture, unmanaged macOS hosts, and network-only monitoring that lacks process context.
Mitigation priorities
- Establish approved macOS software transfer and automation patterns for administrators, developers, and end users.
- Restrict or monitor use of legacy or unnecessary transfer utilities where operationally feasible, especially TFTP and lftp on managed macOS endpoints.
- Use endpoint management and least-privilege controls to reduce unauthorized script or automation execution paths.
- Maintain destination allowlists or egress policies for known business transfer destinations where appropriate.
- Ensure incident-response procedures include rapid review of macOS process lineage, downloaded binaries, destination IPs, and affected user context.
Analyst notes and limits
This is a detection analytic object, not a technique description. The supplied ATT&CK fields only state that it applies to macOS and detects Automator, AppleScript, or Terminal executing curl, lftp, or TFTP for binary transfer to untrusted IPs or unusual ports. No tactics, relationships, aliases, or official detection implementation are supplied.
Local implementation requires environment-specific definitions for trusted destinations, unusual ports, legitimate automation, and expected use of file-transfer tools. The object does not support claims about adversary attribution, active exploitation, business impact, or guaranteed detection coverage.
Analytic 1171
Detects Automator, AppleScript, or Terminal executing curl, lftp, or TFTP for binary transfer to untrusted IPs or unusual ports.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a0fc808eb5f2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1171Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.