AN1415: Analytic 1415
Detects abnormal encrypted network connections (via TLS/HTTPS) initiated by non-browser binaries, particularly after sensitive file access or compression events.
Analyst context for executives and security teams
This analytic matters because encrypted outbound traffic from non-browser macOS binaries can hide data movement or command-and-control-like activity from casual inspection. Its business value is not that TLS/HTTPS is suspicious by itself, but that encrypted connections become higher priority when they occur shortly after sensitive file access or compression events.
Executive priority
Security leaders should treat this as a validation point for macOS visibility and data-loss readiness: can the organization connect endpoint file activity, archive/compression behavior, process identity, and outbound network destinations quickly enough to support an incident decision? The priority is ensuring SOC and IR teams can distinguish normal application traffic from unusual non-browser encrypted connections involving sensitive data workflows.
Technical view
For macOS, validate whether detections can correlate non-browser process network activity over TLS/HTTPS with recent access to sensitive files or compression events. Because no official detection logic or tactic mapping is supplied, teams should avoid broad alerts on all encrypted non-browser traffic and instead tune around process reputation, parent process, file paths, timing, destination patterns, and whether the initiating binary is expected to make external HTTPS connections.
Likely telemetry
- macOS endpoint process execution telemetry
- Process-to-network connection telemetry, including destination, port, protocol, and initiating binary
- TLS/HTTPS connection metadata where available
- File access events for sensitive locations or document types
- File compression or archive creation events
Detection direction
- Confirm that macOS telemetry preserves the initiating process for outbound TLS/HTTPS connections, not just host-level network events.
- Correlate encrypted outbound connections from non-browser binaries with recent sensitive file access or compression activity.
- Baseline expected non-browser applications that legitimately use HTTPS to reduce false positives.
- Review blind spots where TLS inspection, endpoint network attribution, file access auditing, or compression-event logging is absent.
- Prioritize unusual binaries, unexpected locations, rare destinations, or activity clustered shortly after sensitive file handling.
Mitigation priorities
- Improve macOS endpoint visibility for process, file, archive, and network events before relying on this analytic operationally.
- Define and maintain an allowlist or baseline of approved non-browser binaries that commonly initiate HTTPS connections.
- Apply least-privilege access to sensitive files so suspicious access events have clearer investigative value.
- Use egress controls, proxy policy, or network monitoring to make unusual outbound encrypted traffic reviewable.
- Document evidence collection and escalation procedures so this analytic supports incident response and compliance evidence when sensitive data may be involved.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for macOS only. Its useful defensive angle is correlation: encrypted network traffic becomes more meaningful when tied to non-browser processes and preceding sensitive file access or compression. Local baselines are essential because many legitimate macOS services and enterprise tools use HTTPS.
No official detection logic, tactic mapping, related techniques, relationships, or mitigation references were supplied. This take therefore stays at validation and telemetry-planning level and does not assert active exploitation, attribution, impact, or guaranteed detection coverage.
Analytic 1415
Detects abnormal encrypted network connections (via TLS/HTTPS) initiated by non-browser binaries, particularly after sensitive file access or compression events.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c81404eae338… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1415Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.