AN0076: Analytic 0076
Detects curl, wget, Python requests, or custom HTTP clients communicating over non-standard ports, with repetitive or beacon-like patterns or POST-heavy behavior to rare domains.
Analyst context for executives and security teams
This analytic matters because command-line or scripted HTTP traffic from Linux systems can be a sign that a host is communicating in ways normal business applications do not. The decision value is not simply spotting curl, wget, Python requests, or custom clients; it is validating whether Linux servers and workloads have monitored outbound network behavior, especially when traffic uses non-standard ports, repeats like a beacon, sends frequent POSTs, or targets rare domains.
Executive priority
Prioritize this as an outbound visibility and SOC readiness check for Linux environments. Leaders should ask whether critical Linux servers, cloud workloads, and developer systems have enough network and process telemetry to explain unusual HTTP client activity. This supports incident decision-making, control validation, and compliance evidence around monitoring of external communications, but the supplied ATT&CK object does not specify a tactic, impact, or threat actor context.
Technical view
For SOC and detection teams, validate whether Linux telemetry can correlate process execution for curl, wget, Python-based requests, and custom HTTP clients with network connections to uncommon destinations or non-standard ports. Since no official detection logic is provided, teams should build or tune analytics around repetitive timing, beacon-like connection patterns, POST-heavy behavior, and rare domains, while accounting for legitimate automation, package retrieval, health checks, CI/CD jobs, and monitoring scripts.
Likely telemetry
- Linux process execution telemetry showing command-line HTTP clients or scripts
- Network connection metadata including destination domain, IP, port, protocol, and timing
- HTTP metadata where available, especially method distribution such as POST-heavy behavior
- DNS query logs or passive DNS context to identify rare domains
- Proxy, firewall, or egress gateway logs for outbound connections on non-standard ports
Detection direction
- Confirm that Linux hosts generate process and network telemetry with enough fidelity to link HTTP client activity to destination, port, and timing.
- Baseline legitimate curl, wget, Python requests, automation scripts, CI/CD activity, software update processes, and monitoring tools before alerting on rarity alone.
- Tune for combinations of weak signals: non-standard ports plus repetitive timing, rare domains, or unusually POST-heavy behavior.
- Review egress logging blind spots, especially direct-to-Internet Linux workloads, containers, cloud instances, and systems bypassing proxies.
- Use rarity carefully: rare domains may be legitimate for new services, developer testing, or vendor integrations, so alerts should include asset role and owner context.
Mitigation priorities
- Establish or validate outbound egress monitoring for Linux systems, including proxy, firewall, DNS, and network metadata collection.
- Maintain allowlists or expected-behavior baselines for approved automation and service integrations rather than relying only on tool names.
- Restrict unnecessary outbound access from sensitive Linux servers and workloads using network segmentation and egress control where operationally feasible.
- Ensure incident response playbooks include triage steps for unusual scripted HTTP activity, including owner validation and review of related process and network history.
- Use this analytic as a coverage test for managed detection, cloud security, and compliance monitoring evidence rather than as a standalone proof of compromise.
Analyst notes and limits
The object is a detection analytic, AN0076, for Linux. It describes suspicious patterns involving curl, wget, Python requests, or custom HTTP clients over non-standard ports, repetitive or beacon-like activity, POST-heavy behavior, and rare domains. No ATT&CK tactic, relationship context, or official detection implementation is supplied, so local baselining and telemetry validation are essential.
The supplied ATT&CK fields do not provide detection logic, data source requirements, related techniques, procedures, adversary attribution, or evidence of active exploitation. Conclusions should be limited to Linux environments and to the described behavioral pattern.
Analytic 0076
Detects curl, wget, Python requests, or custom HTTP clients communicating over non-standard ports, with repetitive or beacon-like patterns or POST-heavy behavior to rare domains.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 86af4a29e07f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0076Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.