Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1256: Analytic 1256

Unsigned binaries or interpreted scripts initiating non-standard protocols (ICMP, UDP, SOCKS) outside of baseline network behavior.

EnterpriseAN1256AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is relevant because it focuses on macOS systems where unsigned binaries or interpreted scripts start unusual network activity using protocols such as ICMP, UDP, or SOCKS. For leaders, the decision value is whether the organization can distinguish approved macOS software behavior from unexpected network behavior by untrusted or unmanaged code.

Executive priority

Prioritize this as a coverage-validation question for macOS monitoring and network baselining. The business risk is not proven impact from this object alone, but a gap here can weaken incident triage, audit evidence, and confidence that unmanaged tooling or scripts are being noticed when they communicate outside expected patterns.

Technical view

SOC and detection teams should validate whether macOS endpoint and network telemetry can correlate process trust state, script execution, binary signing status, and outbound protocol behavior. Because no official detection logic or ATT&CK tactic is supplied, teams should treat AN1256 as a detection concept: unsigned binaries or interpreted scripts initiating ICMP, UDP, or SOCKS traffic that deviates from the local baseline.

Likely telemetry

  • macOS process execution telemetry
  • Code-signing or binary trust metadata
  • Interpreter execution events for scripts
  • Outbound network connection records
  • Protocol metadata for ICMP, UDP, and SOCKS

Detection direction

  • Validate that macOS telemetry includes both process identity and network activity, not only one side of the event.
  • Baseline normal ICMP, UDP, and SOCKS usage by host role, user group, and approved applications before alerting broadly.
  • Tune for unsigned binaries and interpreted scripts that initiate non-standard protocol activity outside expected patterns.
  • Account for legitimate administrative scripts, developer tools, VPN/proxy clients, monitoring agents, and troubleshooting utilities to reduce false positives.
  • Investigate events with weak signing context, unfamiliar parent processes, rare destinations, or activity inconsistent with the host’s normal role.

Mitigation priorities

  • Maintain an inventory of approved macOS applications, scripts, and administrative tools that are expected to use ICMP, UDP, or SOCKS.
  • Strengthen application control, code-signing expectations, and script governance where operationally feasible.
  • Restrict or monitor non-standard outbound protocol use based on business need and host role.
  • Ensure incident response playbooks include collection of process, signing, script, user, and network context for suspicious macOS activity.
  • Use findings to improve compliance evidence around endpoint monitoring, software governance, and network control validation.
Analyst notes and limits

AN1256 is a detection analytic for macOS with a concise description but no supplied detection logic, tactic mapping, aliases, labels, or relationship context. Its value is primarily as a validation prompt for whether defenders can connect unsigned or interpreted code execution to unusual outbound protocol behavior.

This take is limited to the supplied ATT&CK fields and external reference. It does not establish adversary attribution, active exploitation, impact, prevalence, or guaranteed detectability. Local baselines, approved software inventories, and telemetry quality are required to determine operational relevance.

Official MITRE ATT&CK definition

Analytic 1256

Unsigned binaries or interpreted scripts initiating non-standard protocols (ICMP, UDP, SOCKS) outside of baseline network behavior.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f4e621057308eabd...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f4e621057308…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1256
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use