Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0100: Analytic 0100

Suspicious processes initiating encrypted HTTPS connections to common web service domains, followed by abnormal data upload behavior or automated posting behavior indicative of C2 bidirectional traffic.

EnterpriseAN0100AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it focuses on a common business blind spot: Windows processes using encrypted HTTPS to communicate with ordinary web service domains while also showing unusual upload or automated posting behavior. For executives and security leaders, the risk is not simply “HTTPS traffic”; it is that command-and-control-like activity can blend into approved web traffic and trusted-looking destinations, making incident scope, data exposure assessment, and SOC confidence harder without strong endpoint and network evidence.

Executive priority

Prioritize this as a validation point for managed detection, incident response readiness, and audit evidence around outbound traffic monitoring. Leaders should ask whether the organization can distinguish normal business use of common web services from suspicious Windows process behavior, especially when traffic is encrypted. The decision value is in confirming whether SOC teams have enough process, network, and data-transfer context to investigate abnormal uploads or automated posting without relying on domain reputation alone.

Technical view

For Windows environments, validate whether detection engineering can correlate process activity with encrypted HTTPS connections to common web service domains and follow-on upload or automated posting patterns. Because the official detection field is not provided and no tactics or relationships are supplied, teams should treat this as an analytic concept requiring local baselining: which processes normally talk to which web services, what upload volumes or posting frequencies are expected, and which parent-child process patterns are unusual. IR teams should ensure investigations can pivot from network events back to process identity, host context, user context, and transfer behavior.

Likely telemetry

  • Windows process creation and process lineage telemetry
  • Endpoint network connection telemetry showing process-to-destination mappings
  • Proxy, secure web gateway, firewall, or DNS logs for HTTPS destinations and common web service domains
  • TLS/HTTPS metadata where available, such as destination, SNI, timing, and volume indicators
  • Upload volume, request frequency, or automated posting behavior from web/proxy logs

Detection direction

  • Validate correlation between Windows process identity and outbound HTTPS destinations; domain-only alerting is likely too noisy and may miss process-level context.
  • Baseline normal use of common web service domains by business applications before treating uploads or posts as suspicious.
  • Tune for abnormal data upload volume, unusual posting frequency, unexpected processes, rare parent-child process chains, or new host-to-service patterns.
  • Account for encrypted traffic blind spots: content inspection may be unavailable, so metadata, process telemetry, and behavioral baselines become important.
  • Document false-positive sources such as legitimate collaboration tools, backup/sync clients, software updaters, browsers, and automation scripts.

Mitigation priorities

  • Ensure Windows endpoint telemetry captures process creation, parent-child relationships, and network connections.
  • Centralize proxy, DNS, firewall, and endpoint logs so SOC teams can join process, host, user, destination, and upload behavior.
  • Define allowlisted business processes and expected web service usage patterns, then review exceptions rather than blocking common services broadly.
  • Use incident response playbooks that preserve endpoint and network evidence for suspected encrypted C2-like traffic.
  • Review outbound access controls and egress monitoring for unmanaged or unusual processes while avoiding disruption to legitimate web services.
Analyst notes and limits

The supplied object is a detection analytic, AN0100, for Windows. It describes suspicious processes initiating encrypted HTTPS connections to common web service domains followed by abnormal upload or automated posting behavior indicative of bidirectional C2 traffic. There are no supplied relationships, tactics, aliases, labels, or official detection logic, so this take emphasizes validation, telemetry readiness, and conservative detection engineering rather than a specific ATT&CK technique mapping.

This assessment is limited to the supplied official STIX fields, external reference, and lack of relationship context. It does not establish active exploitation, actor use, specific malware behavior, guaranteed detection, or applicability beyond Windows. Local baselines and environment-specific telemetry are required to determine materiality and alert quality.

Official MITRE ATT&CK definition

Analytic 0100

Suspicious processes initiating encrypted HTTPS connections to common web service domains, followed by abnormal data upload behavior or automated posting behavior indicative of C2 bidirectional traffic.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
060020cb54c1cf15...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 060020cb54c1…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0100
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use