AN0084: Analytic 0084
Virtual instances or workloads generating sustained outbound data rates, often to TOR, VPN, or proxy endpoints. Often coincides with unusual IAM usage or deployed scripts (e.g., cron jobs using proxy clients).
Analyst context for executives and security teams
This analytic matters because sustained outbound data movement from cloud workloads can be an early decision point for possible data loss, misuse of compute resources, or compromised automation in IaaS environments. For leaders, the value is not just spotting high traffic volume; it is confirming whether cloud, identity, and SOC teams can quickly explain why an instance is sending large amounts of data, especially when traffic goes to TOR, VPN, or proxy endpoints and coincides with unusual IAM activity or deployed scripts.
Executive priority
Prioritize this as a cloud security and incident response readiness question: can the organization identify which workload is generating sustained outbound traffic, who or what identity changed it, whether the destination is expected, and whether the activity is business-approved? This supports operational resilience, data protection reviews, audit evidence for cloud monitoring, and faster containment decisions when abnormal IaaS behavior appears.
Technical view
For SOC and detection teams, validate monitoring around IaaS instances or workloads with sustained outbound data rates, particularly outbound flows to known TOR, VPN, or proxy infrastructure where such enrichment is available. Correlate network egress patterns with IAM activity and workload-level changes such as newly deployed scripts or scheduled jobs, including cron-based proxy clients where visible. Because ATT&CK provides no official detection logic or tactic mapping for this analytic, implementation should be environment-specific and baseline-driven.
Likely telemetry
- Cloud network flow logs or equivalent IaaS egress telemetry
- Outbound bandwidth and data transfer metrics per instance or workload
- Destination reputation or categorization data for TOR, VPN, and proxy endpoints
- Cloud IAM activity logs showing unusual use, role changes, or credential activity
- Instance or workload process, script, and scheduled job telemetry where available
Detection direction
- Baseline normal outbound data rates by workload, role, environment, and business function before alerting on sustained volume alone.
- Correlate high outbound data rates with destination context, especially TOR, VPN, or proxy endpoints, to reduce noise and prioritize review.
- Tune for legitimate high-egress workloads such as backups, replication, content delivery, analytics exports, or approved proxy use.
- Add correlation with unusual IAM usage and recent workload changes because the official description notes these often coincide with the network behavior.
- Validate visibility gaps: many environments collect cloud flow logs but lack host-level evidence for scripts, cron jobs, or proxy clients.
Mitigation priorities
- Establish IaaS egress monitoring and workload-level baselines before relying on alerts for sustained outbound data rates.
- Review and restrict unnecessary outbound paths from cloud workloads using standard cloud network controls and approved egress patterns.
- Strengthen IAM review around workloads that can deploy scripts, schedule jobs, or alter network behavior.
- Ensure incident response runbooks can quickly map an alerting instance to owner, application, data sensitivity, IAM activity, and recent deployment changes.
- Maintain evidence for cloud monitoring and IAM review processes to support compliance and post-incident decision-making.
Analyst notes and limits
This is a detection analytic object, not a technique description. The supplied ATT&CK fields identify the platform as IaaS and describe sustained outbound data rates, often to TOR, VPN, or proxy endpoints, with possible correlation to unusual IAM usage or deployed scripts. No tactic, relationship context, or official detection logic was supplied, so this take focuses on validation questions and telemetry coverage rather than a specific rule.
Coverage depends on local cloud logging, destination enrichment, workload telemetry, and baselining. The supplied object does not provide detection syntax, thresholds, affected services, relationships, adversary use, or impact claims. High outbound traffic can be legitimate, so environment context is required before escalation or containment.
Analytic 0084
Virtual instances or workloads generating sustained outbound data rates, often to TOR, VPN, or proxy endpoints. Often coincides with unusual IAM usage or deployed scripts (e.g., cron jobs using proxy clients).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | bfc0d4871745… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0084Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.