Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1368: Analytic 1368

Electron/GUI or headless RAT execution followed by LaunchAgent/Daemon persistence and persistent external connections; interactive children (osascript/sh/curl) spawned by parent.

EnterpriseAN1368AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it describes a macOS pattern where a remote-access style application, including Electron/GUI or headless software, is followed by persistence through LaunchAgents or LaunchDaemons and ongoing outbound connections. For leaders, the decision value is not attribution; it is whether the organization can prove it sees suspicious macOS persistence, parent-child process behavior, and persistent external connectivity before an incident depends on those gaps.

Executive priority

Prioritize this as a macOS endpoint and SOC readiness validation item. It can inform business continuity and incident response planning by testing whether teams can identify unauthorized persistence and remote-control behavior on macOS systems. It also supports audit and compliance evidence by showing whether endpoint telemetry, network monitoring, and triage workflows cover macOS—not only Windows. Because ATT&CK provides no official detection text or relationship context here, leadership should treat this as a coverage-checking analytic rather than a confirmed threat campaign indicator.

Technical view

Validate visibility on macOS for three linked behaviors: execution of Electron/GUI or headless remote-access style processes, creation or modification of LaunchAgent/LaunchDaemon persistence, and persistent outbound connections. SOC teams should also examine process ancestry where interactive children such as osascript, sh, or curl are spawned by the suspected parent process. Since tactics are not specified and no official detection logic is provided, detection engineering should build environment-specific baselines and correlate process, persistence, and network evidence rather than alerting on any single command or child process in isolation.

Likely telemetry

  • macOS endpoint process creation events with parent-child relationships
  • LaunchAgent and LaunchDaemon file creation, modification, or load events
  • Command-line and executable path metadata for osascript, sh, curl, and parent applications
  • Outbound network connection records from macOS endpoints
  • Endpoint inventory showing authorized Electron, GUI, headless, and remote-access applications

Detection direction

  • Correlate suspicious parent processes with subsequent LaunchAgent or LaunchDaemon persistence and recurring external connections.
  • Tune around legitimate macOS administration, developer tooling, software updaters, and approved remote-support tools to reduce false positives.
  • Review parent-child chains where osascript, sh, or curl are spawned by unusual GUI, Electron, or headless processes.
  • Confirm that macOS telemetry includes persistence locations and process ancestry; many SOC blind spots come from collecting network data without endpoint context, or endpoint data without LaunchAgent/Daemon visibility.
  • Use local allowlists for approved remote-access and Electron-based applications, but review exceptions regularly because broad allowlisting can hide material behavior.

Mitigation priorities

  • Inventory and govern approved macOS remote-access, Electron-based, GUI, and headless applications.
  • Harden macOS endpoint monitoring to capture process ancestry, persistence changes, and outbound connection context.
  • Restrict or review unauthorized persistence through LaunchAgents and LaunchDaemons according to organizational policy.
  • Ensure incident response playbooks include macOS persistence triage and external connection review.
  • Use this analytic as a validation scenario for managed detection, detection engineering, and compliance evidence around macOS coverage.
Analyst notes and limits

The object is a detection analytic for macOS only. It describes a behavioral sequence rather than a complete detection rule: RAT-like execution, LaunchAgent/Daemon persistence, persistent external connections, and interactive child processes. No tactics, relationships, aliases, or official detection logic were supplied, so local baselining and telemetry validation are essential.

This take is limited to the supplied ATT&CK fields and external reference. It does not establish active exploitation, adversary attribution, prevalence, impact, or guaranteed detection. The official detection field is not provided, and no relationship context was supplied.

Official MITRE ATT&CK definition

Analytic 1368

Electron/GUI or headless RAT execution followed by LaunchAgent/Daemon persistence and persistent external connections; interactive children (osascript/sh/curl) spawned by parent.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
3e770578207e235f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 3e770578207e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1368
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use