AN0101: Analytic 0101
Non-interactive system processes making encrypted HTTPS connections to well-known web services followed by high outbound traffic volume or scripted upload patterns.
Analyst context for executives and security teams
This analytic is relevant because it focuses on Linux system processes that normally should not behave like users or automation clients suddenly making encrypted HTTPS connections to well-known web services and then sending large volumes of outbound data. For leaders, the decision value is whether the organization can distinguish legitimate scripted business uploads from suspicious non-interactive process activity before it becomes an incident-response guessing exercise.
Executive priority
Prioritize validation where Linux servers, service accounts, batch jobs, and automation have internet egress. The business question is not simply whether HTTPS is allowed, but whether teams can explain which non-interactive processes are allowed to upload data to external web services, what volume is normal, and what evidence would support an audit, investigation, or containment decision. This is most important for environments where Linux systems process sensitive data or support business-critical operations.
Technical view
For SOC and detection teams, validate visibility into Linux process context, network destinations, HTTPS connection metadata, and outbound volume over time. Because the official ATT&CK object provides an analytic description but no detection logic, teams should define local baselines for non-interactive system processes, known automation, approved web-service destinations, and expected upload patterns. Detection should focus on combinations of process identity, non-interactive execution context, destination reputation/category, connection timing, and unusually high outbound transfer volume rather than destination alone.
Likely telemetry
- Linux process creation and parent/child process metadata
- Process user, service account, and interactive versus non-interactive execution context
- Network connection logs from Linux hosts
- Proxy, firewall, or egress gateway logs showing HTTPS destinations
- Outbound byte counts, session duration, and upload frequency
Detection direction
- Validate that Linux endpoint and network telemetry can join process identity to outbound HTTPS activity; network-only logs may not identify the responsible system process.
- Baseline legitimate scripted uploads and service-to-web-service traffic to reduce false positives from backups, monitoring agents, CI/CD jobs, synchronization tools, and business automation.
- Tune for behavior sequences: non-interactive system process, encrypted connection to a well-known web service, followed by high outbound traffic volume or repeated scripted upload patterns.
- Review blind spots caused by TLS encryption, shared NAT or proxy egress, missing endpoint telemetry, and insufficient byte-count or session-duration logging.
- Because no ATT&CK tactic or relationship context is supplied, avoid assuming a specific attack stage; treat alerts as investigation leads requiring local context.
Mitigation priorities
- Define and document which Linux services and automation jobs are approved to make outbound HTTPS connections to external web services.
- Restrict or monitor internet egress from Linux servers based on business need, especially for systems handling sensitive or operationally critical data.
- Maintain allowlists for approved service accounts, destinations, and scheduled upload patterns, with change-control evidence for exceptions.
- Ensure SOC runbooks include triage steps for validating process owner, parent process, destination, transfer volume, and business justification.
- Use incident response readiness exercises to confirm teams can quickly determine whether unusual outbound uploads are authorized or require containment.
Analyst notes and limits
This ATT&CK object is a detection analytic, not a technique, and the supplied fields do not include tactics, relationships, or formal detection logic. The strongest use is as a coverage-validation prompt for Linux egress monitoring and process-aware network detection.
The official detection field is not provided, relationship context is absent, and only Linux is listed as a platform. Local baselines, business-approved automation, and environment-specific telemetry are required before this analytic can be operationalized responsibly.
Analytic 0101
Non-interactive system processes making encrypted HTTPS connections to well-known web services followed by high outbound traffic volume or scripted upload patterns.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0b2f26d24025… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0101Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.