AN1585: Analytic 1585
Execution of built-in or AppleScript-based system enumeration via `arp`, `netstat`, `ping`, and discovery of `/etc/hosts` contents.
Analyst context for executives and security teams
This analytic describes a macOS discovery behavior: use of built-in commands or AppleScript to enumerate network and host information with `arp`, `netstat`, `ping`, and reads of `/etc/hosts`. For leaders, the value is not that these tools are inherently malicious, but that they are common, legitimate utilities whose suspicious use can signal early environment mapping during an incident. Coverage depends on whether macOS endpoint and process telemetry can show command execution, parent process context, script usage, and file access patterns.
Executive priority
Prioritize this as a visibility and triage readiness question for macOS estates. Security leaders should ask whether SOC teams can distinguish normal administrative/network troubleshooting from unusual enumeration on user endpoints, especially where macOS devices have access to sensitive networks or cloud/admin workflows. This supports incident decision-making and audit evidence by proving that basic host and network discovery activity is observable, retained, and reviewable.
Technical view
Validate macOS telemetry for execution of `arp`, `netstat`, and `ping`, AppleScript-driven execution, and access to `/etc/hosts`. Because no ATT&CK detection logic or tactic mapping is supplied, detection engineering should treat this as a behavior component rather than a standalone high-confidence alert. Useful context includes parent process, user identity, command line, process ancestry, execution frequency, destination targets, and whether activity appears scripted or interactive. Tuning should account for legitimate IT troubleshooting, network diagnostics, VPN support, and developer activity.
Likely telemetry
- macOS process execution events including command line arguments
- Process parent-child relationships and process ancestry
- AppleScript or script interpreter execution telemetry where available
- File access or read telemetry for `/etc/hosts` where collected
- User/session context for the executing account
Detection direction
- Confirm that endpoint logging captures the relevant macOS utilities and their command lines, not just process names.
- Correlate enumeration commands with suspicious parent processes, script execution, unusual users, or repeated discovery patterns.
- Tune out expected administrative troubleshooting while preserving visibility into scripted or non-interactive execution.
- Use `/etc/hosts` access as supporting context rather than a standalone alert unless local baselines make it unusual.
- Review gaps caused by sparse macOS endpoint coverage, missing command-line capture, or limited AppleScript visibility.
Mitigation priorities
- Establish and verify macOS endpoint monitoring coverage for process execution, command line, scripting activity, and relevant file access.
- Define baselines for legitimate network troubleshooting and administrative use on macOS systems.
- Limit administrative privileges and scripting permissions where business operations allow.
- Ensure SOC playbooks include triage questions for discovery behavior: who ran it, from what parent process, against which targets, and whether it is expected for that role or device.
- Retain telemetry long enough to support incident response timelines and compliance evidence.
Analyst notes and limits
The supplied object is a detection analytic for macOS system and network enumeration using built-in tools or AppleScript. ATT&CK provides no official detection text, no tactics, and no relationship context for this object, so the take focuses on defensive validation and telemetry readiness rather than asserting maliciousness.
This assessment is limited to the supplied STIX fields and external reference. It does not establish active exploitation, actor attribution, impact, prevalence, or guaranteed detection. Local baselines, endpoint logging configuration, and business context are required to determine alert severity.
Analytic 1585
Execution of built-in or AppleScript-based system enumeration via `arp`, `netstat`, `ping`, and discovery of `/etc/hosts` contents.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9bb95b69e59a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1585Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.