AN1333: Analytic 1333

Use unified logs to identify processes issuing repeated DNS queries where the resolved IP addresses change frequently within very short TTL values. Correlate with outbound network traffic to validate C2-like patterns.

EnterpriseAN1333AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic is useful for spotting macOS systems that may be using fast-changing DNS infrastructure to reach command-and-control-like destinations. For leaders, the practical question is whether macOS endpoint and network telemetry are good enough to connect DNS behavior with outbound traffic before an investigation depends on incomplete evidence.

Executive priority

Prioritize this where macOS endpoints are business-critical, privileged, or commonly used by executives, developers, or administrators. The business value is not the analytic alone; it is proving that the organization can collect unified logs, DNS evidence, and outbound network activity in a way that supports timely SOC triage, incident response scoping, and audit-ready evidence of monitoring coverage.

Technical view

Validate whether macOS unified logs capture process-level DNS activity and whether analysts can identify repeated DNS queries where resolved IP addresses change frequently with very short TTL values. Correlate those observations with outbound network connections from the same host and process to assess whether the pattern resembles C2-like activity. Because no ATT&CK tactic or relationship context is supplied, treat this as a detection validation pattern rather than a complete behavior chain.

Likely telemetry

macOS unified logs with process context
DNS query and response data
Resolved IP address history for queried domains
DNS TTL values
Outbound network connection logs from macOS hosts

Detection direction

Confirm unified log collection is enabled, centralized, retained, and searchable for relevant macOS endpoints.
Tune for repeated DNS lookups with rapidly changing resolved IPs and very short TTLs, then require correlation with outbound traffic to reduce noise.
Review false positives from legitimate content delivery networks, cloud services, software update mechanisms, and security tools that may use dynamic DNS or short TTLs.
Validate that DNS telemetry includes response details and TTLs; query-only logging may be insufficient.
Check whether process-to-network correlation is available; without process context, triage value is materially reduced.

Mitigation priorities

Ensure macOS logging and DNS visibility are part of the monitored endpoint baseline.
Centralize DNS and outbound network telemetry with enough retention to support incident response timelines.
Use network egress controls and DNS governance appropriate to the environment to limit unapproved outbound destinations.
Maintain allowlists or baselines for known legitimate services that use short TTLs to support accurate detection tuning.
Test the analytic in SOC workflows so alerts include host, process, domain, resolved IPs, TTLs, and related outbound connections.

Analyst notes and limits

This object is a detection analytic for macOS focused on unified logs, DNS behavior, and outbound network correlation. No relationships, tactics, aliases, or official detection logic were supplied, so the take emphasizes validation of telemetry and operational use rather than ATT&CK technique mapping.

The supplied ATT&CK fields do not provide a tactic, related technique, detection rule, data components, mitigations, or threat relationships. Local baselining is required because short TTLs and changing IP resolutions can be normal for legitimate infrastructure.

Official MITRE ATT&CK definition

Analytic 1333

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 7b556906a667c5bc...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`7b556906a667…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1333
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use