AN0080: Analytic 0080
Processes invoking network-intensive child processes or uploading large data volumes, often from non-standard user or system contexts, with evidence of long-duration TCP/UDP sessions to unusual destinations.
Analyst context for executives and security teams
AN0080 is a Windows detection analytic focused on processes that appear to move unusually large amounts of data over long-running TCP or UDP sessions, especially when launched from uncommon user or system contexts. For leaders, the value is not just “large network traffic”; it is a way to test whether the organization can notice suspicious outbound data movement before it becomes a business, legal, or incident-response escalation problem.
Executive priority
Prioritize this analytic as evidence of data-loss and incident-readiness coverage on Windows endpoints. Executives and risk owners should ask whether SOC teams can correlate process lineage, user context, destination reputation or rarity, session duration, and upload volume. This supports practical decisions about monitoring investment, IR triage speed, compliance evidence for data protection controls, and whether high-value systems have sufficient visibility into outbound network behavior.
Technical view
Validate that Windows endpoint and network telemetry can identify processes invoking network-intensive child processes, large upload volumes, non-standard execution contexts, and long-duration TCP/UDP sessions to unusual destinations. Because no tactic or relationship context is supplied, treat this as a behavioral detection pattern rather than a technique-specific rule. SOC teams should tune around known high-volume business applications, backup tools, software distribution systems, collaboration clients, and administrative utilities while preserving visibility into uncommon parent-child process chains and unexpected user or service accounts.
Likely telemetry
- Windows process creation events with parent-child process lineage
- User, service account, and system context associated with process execution
- Endpoint network connection telemetry for TCP and UDP sessions
- Network flow records showing session duration, destination, bytes sent, and bytes received
- Proxy, firewall, or gateway logs showing outbound destinations and upload volume
Detection direction
- Confirm whether the SOC can join process execution data with network volume and session-duration data for Windows systems.
- Baseline expected high-volume upload behavior by host role, user role, process name, and destination to reduce false positives.
- Prioritize alerts where a process spawns a network-intensive child process from an unusual parent, account, path, or system context.
- Review long-duration TCP/UDP sessions to destinations that are rare for the organization, host, or user.
- Tune carefully for legitimate enterprise activity such as backups, synchronization, software updates, remote administration, and collaboration platforms.
Mitigation priorities
- Ensure critical Windows endpoints produce process and network telemetry with enough retention for incident response.
- Restrict and review non-standard service account and system-context execution where it can initiate external network sessions.
- Apply outbound network controls and egress monitoring for systems handling sensitive or regulated data.
- Maintain approved-destination and approved-application baselines for high-volume data transfer use cases.
- Use incident response playbooks that quickly determine process lineage, user context, destination legitimacy, and whether data movement was authorized.
Analyst notes and limits
This object is an ATT&CK detection analytic, not a technique entry. The supplied description points to suspicious combinations of Windows process behavior, large uploads, unusual execution context, and long-duration network sessions. Its strongest operational use is as a validation target for endpoint-network correlation and data-movement monitoring rather than as a standalone high-confidence alert.
The official object does not provide tactics, an official detection procedure, related techniques, mitigations, groups, software, or campaigns. No active exploitation, attribution, impact, or guaranteed detection coverage can be inferred from the supplied fields. Local baselines are required to distinguish suspicious data movement from normal business transfers.
Analytic 0080
Processes invoking network-intensive child processes or uploading large data volumes, often from non-standard user or system contexts, with evidence of long-duration TCP/UDP sessions to unusual destinations.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a10510f6b1dc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0080Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.