Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1391: Analytic 1391

Detects symmetric key-based encryption operations (e.g., AES via Python, AppleScript, or OpenSSL) followed by unusual outbound connections from non-browser applications or scripted tools.

EnterpriseAN1391AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it links two signals that can be business-relevant on macOS endpoints: local symmetric encryption activity and unusual outbound network connections from tools that are not normally user-facing browsers. For leaders, the value is not that either behavior is automatically malicious, but that the combination can indicate activity worth rapid triage when protecting sensitive data, incident response timelines, and endpoint visibility.

Executive priority

Prioritize this as a coverage-validation item for macOS environments where sensitive data handling, developer tooling, scripting, or regulated workloads exist. Security leaders should ask whether the SOC can see both sides of the behavior: encryption activity from Python, AppleScript, or OpenSSL-like tooling, and outbound connections from non-browser or scripted applications. The key decision value is whether current endpoint and network telemetry can support timely investigation before an incident becomes a data-loss, compliance, or business-continuity issue.

Technical view

AN1391 is a macOS detection analytic for symmetric key-based encryption operations followed by unusual outbound connections from non-browser applications or scripted tools. Because no official detection logic, tactics, or relationships are supplied, teams should treat it as a detection-design prompt rather than a ready rule. Validate whether endpoint telemetry can identify encryption-related process activity involving Python, AppleScript, or OpenSSL and correlate it with network telemetry showing outbound connections from the same process, parent process, user, host, or time window. Tune carefully for legitimate automation, development, backup, administrative scripts, and security tooling.

Likely telemetry

  • macOS endpoint process execution telemetry
  • Command-line or script interpreter telemetry for Python, AppleScript, and OpenSSL-like activity
  • Endpoint network connection telemetry with process attribution
  • Network telemetry showing outbound connections and destination context
  • Parent-child process relationships and user/session context

Detection direction

  • Confirm that macOS telemetry captures both encryption-related execution and outbound network connections with enough process attribution to correlate them.
  • Baseline expected scripted or administrative encryption workflows to reduce false positives from developer, backup, deployment, or security operations.
  • Look for unusual outbound connections from non-browser or scripted tools following encryption activity, rather than alerting on encryption or network access alone.
  • Validate time-window correlation, host/user context, and parent-process context because the official analytic description does not provide a concrete rule.
  • Document blind spots where network events lack process attribution or where script content and command-line visibility are limited.

Mitigation priorities

  • Improve macOS endpoint logging and network telemetry before relying on this analytic operationally.
  • Restrict or govern unnecessary scripting and encryption-tool usage where business processes do not require it.
  • Review egress controls and monitoring for non-browser applications and scripted tools.
  • Maintain approved baselines for administrative, development, and automation workflows that legitimately use encryption and outbound connections.
  • Use investigation playbooks that preserve endpoint, process, script, and network evidence when this behavior is observed.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic, not a technique, and has no tactic mapping or relationship context. Its practical value is as a correlation pattern for macOS detection engineering: encryption activity plus unusual outbound communication from non-browser or scripted tooling. Local baselines are essential because legitimate macOS automation and developer workflows may match parts of the behavior.

Official detection logic is not provided, and no relationships, tactics, adversary context, or active exploitation claims are supplied. This take is limited to the official description, macOS platform field, and external reference for AN1391. Actual risk and detection quality depend on local telemetry, baselines, and environment-specific use of scripting and encryption tools.

Official MITRE ATT&CK definition

Analytic 1391

Detects symmetric key-based encryption operations (e.g., AES via Python, AppleScript, or OpenSSL) followed by unusual outbound connections from non-browser applications or scripted tools.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
025f9c3556698858...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 025f9c355669…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1391
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use