AN2032: Analytic 2032
Observation of scripted network requests (e.g., using osascript, curl, or python) that include mismatched or spoofed browser User-Agent strings compared to the typical macOS Safari or Chrome baseline, especially when triggered by non-interactive launch agents, login hooks, or background daemons.
Analyst context for executives and security teams
This analytic is about spotting macOS background or scripted network activity that pretends to be a normal browser by using a mismatched or spoofed User-Agent string. For leaders, the value is not the User-Agent alone; it is whether the organization can distinguish ordinary user browsing from automated network requests launched by scripts, launch agents, login hooks, or daemons.
Executive priority
Prioritize this where macOS endpoints are material to business operations or privileged user workflows. The decision point is whether endpoint and network monitoring can produce credible evidence that non-interactive processes are making web requests under misleading browser identities. This supports SOC readiness, incident triage, and audit evidence that macOS background execution is not a blind spot.
Technical view
Validate coverage on macOS for scripted network requests involving tools or runtimes such as osascript, curl, or python, especially when initiated by non-interactive launch agents, login hooks, or background daemons. Compare observed User-Agent values against the organization’s normal macOS Safari and Chrome baselines. Because no ATT&CK detection logic or tactic mapping is supplied, teams should treat this as a behavioral detection concept requiring local baselining, process ancestry review, and careful tuning.
Likely telemetry
- macOS process execution events, including command line and parent/child process context
- Network connection or HTTP request metadata including User-Agent where available
- Endpoint telemetry for launch agents, login hooks, and background daemons
- Process-to-network correlation showing which executable initiated the request
- Baseline inventory of normal Safari and Chrome User-Agent patterns on managed macOS systems
Detection direction
- Correlate scripted tools or interpreters making outbound web requests with unusual or browser-like User-Agent strings.
- Prioritize events where the initiating process is non-interactive or tied to launch agents, login hooks, or daemons.
- Tune against legitimate administrative scripts, software updaters, management agents, and developer tooling that may use curl or python.
- Avoid treating User-Agent mismatch alone as conclusive; use process ancestry, execution context, and baseline deviation to raise confidence.
- Confirm whether network sensors can see User-Agent values for relevant traffic, as encrypted traffic or proxy architecture may limit visibility.
Mitigation priorities
- Establish a managed macOS baseline for approved background services, launch agents, login hooks, scripting tools, and expected network behavior.
- Restrict or monitor unauthorized persistence mechanisms and non-interactive script execution where operationally feasible.
- Improve endpoint-to-network telemetry correlation so SOC and IR teams can identify the process responsible for suspicious requests.
- Document legitimate automation that uses scripted web requests to reduce false positives and support compliance evidence.
- Review macOS fleet management controls and logging retention so investigations can reconstruct process ancestry and request context.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for macOS only. It describes a behavioral signal but does not provide formal detection logic, tactics, relationships, or procedure examples. The most defensible use is as a validation prompt for macOS endpoint and network telemetry coverage rather than as a standalone alert definition.
No official detection text, relationship context, tactic mapping, attribution, or exploitation claim was supplied. Effectiveness depends on local baselines, visibility into User-Agent metadata, and the ability to correlate network activity back to macOS processes and background execution mechanisms.
Analytic 2032
Observation of scripted network requests (e.g., using osascript, curl, or python) that include mismatched or spoofed browser User-Agent strings compared to the typical macOS Safari or Chrome baseline, especially when triggered by non-interactive launch agents, login hooks, or background daemons.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f02dcefd710e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN2032Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.