AN0145: Analytic 0145
Identifies custom or previously unseen userland processes initiating high-volume HTTP connections with low response volume.
Analyst context for executives and security teams
This analytic is about spotting unusual Linux userland processes that create many HTTP connections but receive little data back. For leaders, the value is not the specific technique attribution—none is supplied—but the operational question it raises: can the SOC distinguish normal high-volume web activity from suspicious outbound connection patterns created by custom or previously unseen processes?
Executive priority
Prioritize this as a coverage-validation item for Linux environments where outbound HTTP activity is business-critical or tightly controlled. It can support incident triage and resilience planning by helping teams identify anomalous process-to-network behavior, but its business value depends on whether endpoint and network telemetry are collected, retained, and correlated well enough to prove what process initiated the traffic.
Technical view
Validate whether Linux endpoint telemetry can identify userland process names, paths, command context where available, and outbound HTTP connection volume, then correlate that with network observations showing low response volume. Because ATT&CK provides no tactic, relationship context, or official detection logic for this analytic, teams should treat it as a behavioral detection concept rather than a complete rule. Baseline known high-volume Linux processes before alerting on custom or previously unseen processes.
Likely telemetry
- Linux process execution and process metadata
- Endpoint network connection telemetry with process attribution
- HTTP connection counts and response-size or byte-in/byte-out data
- Network flow records showing outbound connection volume
- Asset and software inventory to distinguish approved services from custom or unseen processes
Detection direction
- Confirm that HTTP connection volume can be measured per Linux process, not only per host or IP address.
- Tune against known software updaters, proxies, monitoring agents, package managers, scanners, and internal services that may create many HTTP sessions.
- Look for mismatch patterns: high outbound HTTP connection count with comparatively low inbound response volume.
- Use asset context to separate expected server behavior from unusual activity on endpoints or systems that do not normally initiate many HTTP connections.
- Document blind spots where network telemetry lacks process attribution or endpoint telemetry lacks byte-volume context.
Mitigation priorities
- First, close telemetry gaps for Linux process-to-network attribution and HTTP flow visibility.
- Maintain software and asset inventories so custom or previously unseen userland processes can be assessed quickly.
- Define acceptable outbound HTTP behavior for sensitive Linux systems and investigate deviations through IR playbooks.
- Use network egress governance and change-control evidence to support compliance and reduce ambiguity during investigations.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, AN0145, for Linux. It identifies custom or previously unseen userland processes initiating high-volume HTTP connections with low response volume. No tactic, technique relationships, aliases, labels, or official detection logic were supplied, so this take focuses on defensive validation and telemetry requirements rather than threat attribution or a specific ATT&CK behavior chain.
This assessment is constrained to the supplied STIX fields and external reference. It does not establish active exploitation, adversary use, impact, or guaranteed detectability. Local baselines, process inventory, endpoint logging, and network flow visibility are required to determine whether the analytic is actionable in a given environment.
Analytic 0145
Identifies custom or previously unseen userland processes initiating high-volume HTTP connections with low response volume.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8fc01b1ae8cd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0145Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.