AN0165: Analytic 0165
Unusual or uncommon processes initiate network connections to external destinations followed by file creation (tools downloaded).
Analyst context for executives and security teams
This analytic is about spotting Windows hosts where an unusual or uncommon process makes an external network connection and then creates a file, consistent with a tool or payload being downloaded. For leaders, the value is not in the specific process name, but in validating whether the organization can connect process, network, and file-creation evidence quickly enough to distinguish legitimate software activity from suspicious tool acquisition.
Executive priority
Prioritize this as a control-validation and SOC-readiness question: can security teams prove they collect and correlate Windows process activity, outbound connections, and file creation events? This matters for incident triage, containment decisions, audit evidence around monitoring coverage, and reducing dwell time when unfamiliar processes introduce new tools into the environment.
Technical view
For Windows endpoints, validate analytics that correlate an uncommon process initiating an external network connection followed by file creation on the same host and within a defensible time window. Because ATT&CK provides no tactic, relationship, or detailed detection logic for this object, teams should tune around local baselines: known software updaters, browsers, package managers, management agents, developer tools, and administrative utilities may create legitimate matches. Detection quality depends heavily on process identity, parent process, command-line context, destination reputation or rarity, file path, file type, and whether the resulting file is newly observed in the environment.
Likely telemetry
- Windows process execution telemetry, including process name, path, parent process, command line, user, and host
- Endpoint network connection telemetry showing process-to-destination mapping for external connections
- File creation telemetry with path, filename, hash where available, creating process, user, and timestamp
- DNS or proxy records to enrich external destination context
- Endpoint inventory or baseline data to determine whether a process is uncommon in the environment
Detection direction
- Validate that process, network, and file-creation events can be correlated on the same Windows host within a defined time window.
- Baseline common and approved download-capable processes to reduce false positives from browsers, software updaters, deployment tools, and administrative agents.
- Prioritize alerts where the initiating process is rare for the host or enterprise, has unusual parentage, runs from atypical paths, or creates executable/script/archive files after contacting an external destination.
- Review blind spots where endpoint telemetry lacks process-to-network attribution, file creation logging, command-line capture, or visibility into encrypted web traffic metadata.
- Use destination and file rarity as triage enrichments, but avoid relying on reputation alone because the supplied analytic only supports behavior-based correlation.
Mitigation priorities
- Ensure Windows endpoint monitoring captures process execution, external network connections, and file creation with enough fidelity for correlation.
- Define and maintain allowlists or baselines for approved software distribution, update, browser, and administrative download behavior.
- Harden egress controls and proxy/DNS visibility so external destinations used by uncommon processes are observable and reviewable.
- Establish SOC playbooks for investigating suspected tool downloads, including host isolation criteria, file collection, hash review, and user/process context validation.
- Use findings from this analytic to improve asset baselines, software governance, and evidence collection for monitoring and incident response readiness.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, AN0165, for Windows. It describes uncommon processes making external connections followed by file creation, but provides no official detection text, tactic mapping, related techniques, or relationship context. Local baselining is therefore essential to determine what counts as unusual and which file creations are security-relevant.
This take is limited to the official STIX fields, the MITRE external reference, and the absence of supplied relationships. It does not assert active exploitation, actor attribution, impact, or guaranteed detection coverage. Environment-specific telemetry, baselines, and control configuration are required before operationalizing the analytic.
Analytic 0165
Unusual or uncommon processes initiate network connections to external destinations followed by file creation (tools downloaded).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c991dd060ac8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0165Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.