AN1231: Analytic 1231
AppleScript, LaunchAgents, or remote login services (`ssh`, `networksetup`) establishing proxy tunnels or dynamic port forwards to external IPs or alternate local hosts.
Analyst context for executives and security teams
This analytic matters because it points to macOS systems being used to create proxy tunnels or dynamic port forwards through AppleScript, LaunchAgents, or remote login-related utilities such as ssh and networksetup. For leaders, the practical risk is not the tool name; it is whether an endpoint can quietly become a relay path that bypasses expected network visibility or supports unauthorized remote access.
Executive priority
Prioritize this as a macOS visibility and control validation item. Security leaders should ask whether SOC, endpoint, and network teams can prove when a Mac establishes unusual proxying or port-forwarding behavior to external IPs or unexpected local hosts. The value is strongest for incident response readiness, managed detection validation, and audit evidence around remote access governance; the supplied ATT&CK object does not provide impact claims, attribution, or active exploitation context.
Technical view
Validate coverage for macOS behaviors involving AppleScript execution, LaunchAgent persistence/execution context, and remote login or network configuration utilities associated with proxy tunnels or dynamic port forwards. Because ATT&CK provides no official detection logic for AN1231, SOC teams should build environment-specific analytics around process execution, command-line arguments, parent-child process context, LaunchAgent file/activity evidence, remote login service activity, and outbound connections to external IPs or alternate local hosts. Tuning should account for legitimate administration, developer workflows, and approved remote access tooling.
Likely telemetry
- macOS endpoint process execution telemetry, including command line and parent process context
- AppleScript execution activity where available
- LaunchAgent creation, modification, loading, or execution evidence
- ssh and networksetup usage on macOS endpoints
- Network connection telemetry showing outbound connections, proxy behavior, or dynamic port-forward-like patterns
Detection direction
- Confirm that macOS endpoint telemetry captures process command lines for AppleScript, ssh, networksetup, and LaunchAgent-related activity.
- Correlate endpoint events with network telemetry showing connections to external IPs or alternate local hosts that are not expected for the user, host role, or business application.
- Baseline legitimate administrative, developer, and support use of port forwarding or proxy settings to reduce false positives.
- Look for combinations rather than single events: script execution plus LaunchAgent activity, remote login utility usage plus unusual outbound destinations, or network configuration changes followed by proxy-like traffic.
- Treat missing macOS command-line, LaunchAgent, or network visibility as a material blind spot because the official object provides no ready-made detection logic.
Mitigation priorities
- Define and enforce approved remote access and proxying practices for macOS systems.
- Restrict or monitor remote login capabilities and administrative use of ssh, networksetup, AppleScript, and LaunchAgents according to business need.
- Maintain endpoint and network logging sufficient to reconstruct proxy tunnel or dynamic port-forward behavior during an incident.
- Review macOS configuration management for unauthorized LaunchAgents and unexpected network/proxy settings.
- Use asset ownership, user role, and change-control records to separate sanctioned administrative activity from suspicious behavior.
Analyst notes and limits
AN1231 is a detection analytic object for enterprise ATT&CK on macOS. The official description is specific to AppleScript, LaunchAgents, ssh, and networksetup being involved in proxy tunnels or dynamic port forwards, but no tactic, official detection text, or relationship context was supplied. Local baselines and approved remote access patterns are therefore essential for useful detection engineering.
This take is limited to the supplied STIX fields, external reference, and absence of relationships. It does not assert active exploitation, adversary attribution, business impact, or guaranteed detectability. The object does not specify tactics, related techniques, mitigations, data sources, or detection logic.
Analytic 1231
AppleScript, LaunchAgents, or remote login services (`ssh`, `networksetup`) establishing proxy tunnels or dynamic port forwards to external IPs or alternate local hosts.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b913c1c557bb… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1231Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.