AN1485: Analytic 1485
launchd or user-invoked processes (ssh, socat) encapsulating traffic via SSH tunnels, VPN-style tooling, or DNS-over-HTTPS clients. Defender sees outbound TLS traffic with embedded DNS or RDP payloads.
Analyst context for executives and security teams
This analytic points to a macOS visibility problem: ordinary-looking outbound TLS traffic may be carrying tunneled DNS, remote desktop, or other traffic from launchd or user-invoked tools such as ssh or socat. For leaders, the decision value is whether the organization can distinguish legitimate encrypted egress from traffic that bypasses normal network controls and monitoring.
Executive priority
Prioritize this where macOS endpoints have sensitive access, remote administration is common, or egress control is a compliance expectation. The key business question is not whether encryption is present, but whether SOC and IR teams can prove which macOS processes initiated encrypted outbound connections and whether those flows align with approved administration, VPN, DNS, and remote access patterns.
Technical view
Validate macOS endpoint and network coverage for launchd-started or user-invoked processes generating outbound TLS sessions, especially ssh, socat, VPN-style clients, and DNS-over-HTTPS clients. Because ATT&CK provides no detection logic or tactic mapping for this analytic, teams should treat it as a coverage validation item: correlate process execution, parent process or launchd context, command-line evidence where available, destination metadata, TLS/network flow records, and DNS/DoH indicators. Focus on whether tunneled payloads could evade controls that only inspect ports, domains, or protocol labels.
Likely telemetry
- macOS process execution events
- Process parent/child context, including launchd-started activity
- Command-line or process argument telemetry where collected
- Outbound TLS network flow metadata from macOS endpoints
- Destination IP, domain, port, and connection timing metadata
Detection direction
- Baseline legitimate macOS use of ssh, socat, VPN-style tooling, and DNS-over-HTTPS clients before alerting broadly.
- Correlate outbound TLS sessions with the initiating macOS process rather than relying only on network perimeter observations.
- Look for mismatches between expected application behavior and observed encrypted egress, such as administrative tools contacting unusual destinations or running from unexpected launchd/user contexts.
- Account for false positives from legitimate remote administration, developer workflows, privacy tools, and sanctioned VPN or DoH use.
- Document blind spots where TLS inspection is unavailable, process-to-network correlation is missing, or command-line collection is restricted.
Mitigation priorities
- Establish and maintain an approved inventory of macOS remote access, VPN, tunneling, and DNS-over-HTTPS tools.
- Apply egress policy based on business need, with special attention to unmanaged encrypted outbound traffic from endpoints.
- Harden macOS logging and EDR collection to preserve process, parent process, command-line, and network correlation needed for investigation.
- Review launchd persistence and service configuration monitoring where endpoint telemetry supports it.
- Use policy and user guidance to distinguish sanctioned administration and privacy tooling from unapproved tunneling behavior.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for macOS and describes traffic encapsulation through SSH tunnels, VPN-style tooling, or DNS-over-HTTPS clients. No tactics, relationships, or official detection procedure were supplied, so this take emphasizes validation of telemetry and control coverage rather than a specific analytic rule.
This assessment is limited to the supplied STIX fields and external reference. It does not establish threat actor use, active exploitation, impact, prevalence, or guaranteed detectability. Local baselines, approved tool lists, endpoint telemetry quality, and network architecture are required to turn this into production detection.
Analytic 1485
launchd or user-invoked processes (ssh, socat) encapsulating traffic via SSH tunnels, VPN-style tooling, or DNS-over-HTTPS clients. Defender sees outbound TLS traffic with embedded DNS or RDP payloads.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7c8a4370fc69… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1485Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.