AN1227: Analytic 1227
Detects applications using abnormal protocols or high volume traffic not previously associated with the process image, such as Automator or AppleScript invoking curl or python sockets.
Analyst context for executives and security teams
AN1227 is a macOS detection analytic focused on applications that suddenly use unusual network protocols or generate high-volume traffic not normally associated with that process image. For leaders, the value is not the specific example alone; it is a coverage question: can the organization notice when trusted or user-facing macOS applications begin behaving like network automation tools?
Executive priority
Prioritize this as a macOS endpoint and network visibility validation item. It can support incident triage, managed detection quality, and audit evidence by showing whether teams baseline expected application network behavior and investigate abnormal protocol or volume changes. Because ATT&CK provides no tactic mapping or relationship context here, treat it as a detection-control assessment rather than proof of a specific threat scenario.
Technical view
For SOC and detection engineering, validate whether macOS telemetry can associate process image, parent or initiating application, command context where available, protocol, destination, and traffic volume. The analytic description specifically calls out cases such as Automator or AppleScript invoking curl or Python sockets, so testing should focus on detecting unusual network behavior tied to process identity rather than only matching tool names. Tune against known administrative automation, developer workflows, software update behavior, and sanctioned scripts to reduce false positives.
Likely telemetry
- macOS process execution events including process image and parent process where available
- Endpoint network connection events tied to process identity
- Network protocol metadata and destination information
- Traffic volume metrics by process or host
- Script or automation context involving Automator, AppleScript, curl, or Python where collected
Detection direction
- Confirm the organization can baseline normal protocol and traffic-volume patterns for macOS process images.
- Alert on applications using protocols or traffic volumes not previously associated with the process image, consistent with the official analytic description.
- Correlate endpoint process context with network telemetry so abnormal traffic is attributable to a specific macOS application or script runtime.
- Tune exceptions for legitimate automation, developer activity, management tooling, and recurring business workflows.
- Document blind spots where network telemetry is not process-attributed or where macOS endpoint logging is not collected consistently.
Mitigation priorities
- Improve macOS endpoint logging and process-attributed network visibility before relying on this analytic operationally.
- Establish baselines for approved automation and scripting behavior on managed macOS systems.
- Review controls governing script execution and application automation where business requirements allow.
- Use triage runbooks that distinguish sanctioned automation from unexpected network behavior by trusted applications.
- Maintain evidence of telemetry collection, alert logic, tuning decisions, and exceptions for compliance and detection-readiness reviews.
Analyst notes and limits
This take is based only on the supplied ATT&CK analytic fields. The object is a detection analytic for macOS with no supplied tactic, technique, mitigation, or relationship context. The practical decision value is therefore centered on whether defenders can detect abnormal process-associated network behavior on macOS and operationalize the resulting alerts.
Official detection logic was not provided, and no relationships were supplied. This summary does not infer adversary attribution, active exploitation, impact, or coverage beyond macOS. Local baselines, telemetry quality, and approved automation patterns are required to determine usefulness and false-positive rates.
Analytic 1227
Detects applications using abnormal protocols or high volume traffic not previously associated with the process image, such as Automator or AppleScript invoking curl or python sockets.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f30bdede5c10… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1227Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.