AN0081: Analytic 0081
User-initiated processes generating sustained outbound traffic over common or non-standard ports, often outside business hours, potentially linked to scanning or proxyjacking. Includes curl, wget, masscan, or proxy clients.
Analyst context for executives and security teams
This analytic highlights a Linux behavior pattern where a user-started process produces sustained outbound network traffic over expected or unusual ports. For leaders, the practical concern is not the specific tool name alone, but whether Linux hosts can be used for unauthorized scanning, tunneling, proxy activity, or other high-volume outbound activity without being noticed, especially outside normal business hours.
Executive priority
Prioritize this as an egress visibility and Linux monitoring readiness question. Executives and security leaders should ask whether SOC teams can distinguish approved administrative downloads or automation from unusual sustained outbound traffic by user-run tools such as curl, wget, masscan, or proxy clients. This matters for incident triage, acceptable-use enforcement, cloud/Linux server governance, and evidence that outbound activity is monitored rather than assumed to be benign.
Technical view
For Linux environments, validate that detections can correlate process execution, initiating user, command context, destination patterns, port usage, traffic duration, and time of day. Because the ATT&CK object does not provide a formal detection specification or tactics, teams should treat this as a behavior-based analytic concept: user-initiated processes generating sustained outbound traffic on common or non-standard ports, with attention to business-hours context and known administrative exceptions.
Likely telemetry
- Linux process execution telemetry, including process name, command line, parent process, user, and host
- Outbound network connection logs from Linux hosts
- Firewall, proxy, or egress gateway logs showing destination, port, bytes, duration, and timestamp
- Endpoint network telemetry linking outbound connections to initiating processes where available
- Asset and user context to distinguish servers, workstations, service accounts, and approved administrative activity
Detection direction
- Validate that Linux telemetry can link outbound traffic to the initiating user and process, not only to an IP address.
- Tune for sustained outbound volume or duration rather than single connections, since legitimate tools such as curl or wget may be common.
- Create allowlists or baselines for approved automation, package management, backups, monitoring, and administrative scripts to reduce false positives.
- Review activity outside business hours as a risk signal, but do not rely on time alone because scheduled jobs may be legitimate.
- Pay attention to both common ports and non-standard ports, since the object explicitly includes both.
Mitigation priorities
- Establish and enforce Linux egress monitoring requirements for systems that can initiate outbound internet traffic.
- Restrict unnecessary outbound access from Linux hosts based on business need and role.
- Maintain approved-use baselines for administrative tools and scheduled jobs that commonly generate outbound traffic.
- Ensure SOC playbooks include triage steps for user, process, destination, port, duration, and business-hours context.
- Review account and host ownership so unusual outbound activity can be quickly mapped to responsible teams during incident response.
Analyst notes and limits
This is a detection analytic object, not a technique object, and no tactic mapping or relationship context was supplied. The most useful defensive value is validating whether Linux process and egress telemetry can support behavior-based triage for sustained outbound traffic by user-run processes.
Official detection logic was not provided, and no related techniques, campaigns, threat groups, or mitigations were supplied. Local baselines are required to separate legitimate automation, software retrieval, and administration from suspicious sustained outbound activity.
Analytic 0081
User-initiated processes generating sustained outbound traffic over common or non-standard ports, often outside business hours, potentially linked to scanning or proxyjacking. Includes curl, wget, masscan, or proxy clients.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 24c2383f9225… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0081Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.