AN0144: Analytic 0144
Detects excessive outbound traffic to remote host over HTTP(S) from uncommon or previously unseen processes.
Analyst context for executives and security teams
This analytic is about spotting Windows processes that generate unusually high outbound HTTP or HTTPS traffic to a remote host, especially when the process is uncommon or has not been seen before. For leaders, the value is not the rule name itself; it is a check on whether the organization can notice suspicious data movement or unexpected external communications before they become an incident-response surprise.
Executive priority
Prioritize this as a resilience and SOC-readiness validation item. It helps answer whether Windows endpoint and network monitoring can identify unusual outbound web traffic from unfamiliar processes, which may be material to incident triage, data-loss investigation, and audit evidence around monitoring. Because ATT&CK provides no tactic mapping, relationship context, or official detection logic for this analytic, it should be treated as a coverage design prompt rather than proof of detection capability.
Technical view
Validate whether the SOC can correlate Windows process identity with outbound HTTP(S) volume and destination context. The analytic depends on knowing what processes are common in the environment, what is previously unseen, and what traffic volume is excessive. Detection engineering should define baselines by host role, user population, process path/name/signing context where available, destination, and time window. IR teams should ensure alerts preserve enough context to determine whether the traffic came from an approved application, updater, browser component, script interpreter, or an unexpected executable.
Likely telemetry
- Windows endpoint process execution metadata
- Process-to-network connection telemetry
- Outbound HTTP and HTTPS network flow records
- Destination host, domain, IP, port, and byte-count telemetry
- Historical baselines of process prevalence and normal outbound traffic volume
Detection direction
- Validate that endpoint and network telemetry can be joined by host, process, user, time, and destination.
- Tune thresholds for 'excessive' outbound traffic by business function and host role to reduce false positives from browsers, collaboration tools, software update clients, backup agents, and approved data-transfer applications.
- Maintain process prevalence baselines so 'uncommon' or 'previously unseen' is measured against the local environment, not a generic allowlist alone.
- Review blind spots where HTTPS inspection is unavailable, process attribution is missing from network logs, NAT obscures host identity, or endpoint telemetry is not collected on all Windows systems.
- Because no official detection logic is supplied, test candidate logic with known-good administrative and business workflows before using it for high-severity alerting.
Mitigation priorities
- Ensure Windows endpoint logging and network egress telemetry are consistently collected and retained for investigation.
- Define and maintain approved outbound-traffic patterns for high-volume business applications and system services.
- Apply egress control and proxy/firewall policy where appropriate so unexpected processes have fewer unrestricted paths to remote hosts.
- Use application control, software inventory, and least-privilege practices to reduce the number of unknown processes that can execute and communicate externally.
- Document alert triage procedures so SOC and IR teams can quickly distinguish approved high-volume transfers from suspicious process-driven web traffic.
Analyst notes and limits
This object is a detection analytic, not a technique description. The supplied ATT&CK fields identify Windows as the platform and describe the analytic goal, but do not provide tactics, data components, detection pseudocode, thresholds, or related techniques. The most important local decision is whether the organization can attribute outbound HTTP(S) volume to a specific Windows process and compare it against historical process prevalence.
Assessment is limited to the supplied ATT&CK fields and external reference. No relationship context, tactic mapping, official detection text, or implementation details were provided. Local baselines, telemetry quality, asset coverage, and approved application behavior are required before determining alert fidelity or coverage.
Analytic 0144
Detects excessive outbound traffic to remote host over HTTP(S) from uncommon or previously unseen processes.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 43cbe1914065… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0144Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.