AN1378: Analytic 1378
Outbound fallback traffic from low-profile or background launch agents using unusual protocols or destinations after primary channel inactivity.
Analyst context for executives and security teams
This analytic points to a macOS monitoring concern: quiet background launch agents may switch to fallback outbound communication when a primary channel goes inactive, using unusual protocols or destinations. For leaders, the value is not in assuming malware, but in asking whether the organization can see and investigate abnormal outbound behavior from persistent macOS background components before it becomes an incident-response blind spot.
Executive priority
Prioritize this where macOS endpoints are important to business operations, privileged user workflows, or regulated data access. The decision question is whether SOC and incident response teams have enough endpoint and network evidence to distinguish normal background agent traffic from suspicious fallback communications. This supports resilience planning, audit evidence for endpoint monitoring, and control prioritization around egress visibility and macOS persistence review.
Technical view
Validate coverage on macOS for outbound network activity initiated by low-profile or background launch agents, especially after a period of primary channel inactivity and when the protocol or destination is unusual for that agent. Because no official detection logic or ATT&CK tactic mapping is supplied, teams should treat this as a detection design prompt: correlate macOS launch agent inventory and process context with network telemetry, destination reputation or novelty, protocol rarity, and timing relative to expected communications.
Likely telemetry
- macOS launch agent and background service inventory
- Endpoint process execution and parent/child process context
- Process-to-network connection telemetry
- DNS queries and resolved destinations
- Proxy, firewall, or network egress logs
Detection direction
- Baseline expected outbound behavior for approved macOS launch agents before alerting on rarity alone.
- Correlate network events with the responsible launch agent or background process, not just the host IP.
- Tune for unusual destination, unusual protocol, or unexpected timing after inactivity to reduce generic network-noise false positives.
- Review blind spots where macOS endpoints bypass proxy logging, lack endpoint network telemetry, or use privacy controls that limit process attribution.
- Use allowlists carefully; approved launch agents can still produce suspicious outbound patterns if configuration or behavior changes.
Mitigation priorities
- Maintain an accurate inventory of authorized macOS launch agents and background components.
- Ensure macOS endpoint telemetry can attribute outbound connections to processes or launch agents.
- Apply network egress monitoring and policy appropriate to business need, with attention to unusual protocols and destinations.
- Document normal communications for business-critical macOS agents to support SOC triage and compliance evidence.
- Include suspicious launch agent network behavior in incident response playbooks and endpoint containment decision criteria.
Analyst notes and limits
This is an ATT&CK detection analytic object, not a technique or intrusion report. The supplied object provides a concise behavioral description, macOS as the platform, and no relationship context, tactic mapping, or official detection logic. The strongest use is as a coverage-validation prompt for macOS endpoint and egress monitoring.
No official detection text, relationships, tactics, adversary use, impact statement, or implementation details were supplied. Local baselines, approved launch agent inventory, and available endpoint/network telemetry are required before determining alert logic, severity, or coverage.
Analytic 1378
Outbound fallback traffic from low-profile or background launch agents using unusual protocols or destinations after primary channel inactivity.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4a7ce9b57929… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1378Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.