AN0075: Analytic 0075

Detects unexpected or high-volume HTTP/S/WebSocket communication from suspicious processes (e.g., PowerShell, rundll32) using uncommon user agents or mimicking browser traffic to unusual domains or IPs.

EnterpriseAN0075AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

AN0075 is a Windows detection analytic focused on suspicious outbound web communications from processes that normally deserve scrutiny, such as PowerShell or rundll32. Its business value is in validating whether the SOC can distinguish ordinary web activity from process-driven HTTP/S or WebSocket traffic that uses unusual user agents, imitates browser behavior, or reaches unusual domains and IP addresses. For leaders, this matters because missed outbound command-and-control-like patterns can delay incident recognition and response, while noisy tuning can overwhelm analysts.

Executive priority

Treat this as a coverage validation item for endpoint and network monitoring on Windows systems. Security leaders should ask whether outbound web traffic is tied back to the originating process, whether suspicious administrative or living-off-the-land processes are monitored, and whether the SOC has enough baseline context to identify unusual destinations or user agents without excessive false positives. This analytic can support incident response readiness and compliance evidence by showing that the organization reviews suspicious external communications rather than relying only on perimeter allow/block decisions.

Technical view

The supplied analytic applies to Windows and looks for unexpected or high-volume HTTP/S/WebSocket communication from suspicious processes, including examples such as PowerShell and rundll32. Detection teams should validate whether telemetry connects network connections to process name, command context where available, user agent, destination domain or IP, protocol, volume, and frequency. Because no ATT&CK tactic, relationship context, or official detection logic is supplied, implementation should be environment-specific and based on baselining normal process-to-network behavior.

Likely telemetry

Windows endpoint process execution telemetry
Endpoint network connection telemetry with process attribution
Proxy, secure web gateway, or firewall logs showing HTTP/S and WebSocket destinations
HTTP user-agent fields where available
DNS query and resolution logs for destination context

Detection direction

Validate that Windows network telemetry preserves the initiating process, not just source host and destination.
Tune for suspicious processes generating HTTP/S or WebSocket traffic, including the examples supplied: PowerShell and rundll32.
Baseline common browser and enterprise application user agents so uncommon or browser-mimicking user agents from non-browser processes can be reviewed.
Prioritize unusual domains or IPs, especially where destination rarity and high connection volume occur together.
Account for false positives from legitimate administration, software deployment, monitoring, or automation that may use PowerShell or similar processes.

Mitigation priorities

Ensure endpoint and network logging are configured to correlate outbound web traffic with the originating Windows process.
Define an approved baseline for administrative scripting, automation, and software tools that legitimately make web connections.
Restrict or monitor high-risk script and system utility usage according to business need and change-control expectations.
Use egress controls, DNS/proxy policy, and destination reputation or allowlisting where appropriate to reduce unnecessary outbound exposure.
Document detection assumptions, known exceptions, and review cadence so the control can support audit and incident response evidence.

Analyst notes and limits

This object is a detection analytic, not a technique or procedure. The key decision point is whether the organization can observe process-attributed web traffic and compare it against normal behavior. The analytic is most useful when endpoint, proxy, DNS, and firewall data can be joined during triage.

The official object does not provide detection logic, ATT&CK tactics, relationships, aliases, or procedure examples. The summary is therefore limited to the supplied description, Windows platform scope, and external reference. Local baselines are required to determine what is unexpected, high-volume, uncommon, or unusual in a specific environment.

Official MITRE ATT&CK definition

Analytic 0075

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: d697ad07cf12f627...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`d697ad07cf12…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0075
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use