AN0204: Analytic 0204
Anomalous process (e.g., `rundll32`, `svchost`, `cmd`) initiates connections to internal peer hosts not seen in typical communication baselines, used to proxy or forward traffic internally, often using SMB, RPC, or high ports.
Analyst context for executives and security teams
This analytic matters because unusual Windows processes making new internal peer-to-peer connections can be an early signal of internal traffic forwarding, proxying, or lateral movement preparation. For leaders, the decision value is whether the organization can see and explain east-west Windows communications before they become an incident-response problem.
Executive priority
Prioritize this as a visibility and resilience question: can security teams prove which Windows hosts normally talk to each other, over SMB, RPC, and high ports, and identify when common processes such as rundll32, svchost, or cmd deviate from that baseline? The business risk is not just malware detection; it is delayed containment when internal routing, proxying, or unauthorized peer communication is not monitored or understood.
Technical view
Validate whether Windows endpoint and network telemetry can correlate process identity with internal destination hosts and ports. The analytic description focuses on anomalous processes initiating connections to internal peers not seen in typical baselines, especially over SMB, RPC, or high ports. Because no official detection logic or relationship context is supplied, teams should build environment-specific baselines and test alerting against known administrative, patching, software deployment, and service-management patterns to reduce noise.
Likely telemetry
- Windows process creation events with process name, command line, parent process, user, and host
- Endpoint network connection telemetry linking process to destination IP, host, port, and protocol
- Internal east-west network flow data for SMB, RPC, and high-port communications
- Windows authentication and logon context for the initiating user or service account
- Asset inventory and role data to distinguish normal server-to-server, admin, and workstation peer traffic
Detection direction
- Baseline normal internal peer communications by host role, user context, process name, destination, port, and frequency.
- Alert on common Windows processes such as rundll32, svchost, or cmd initiating new or rare internal connections, especially to peer hosts not previously contacted.
- Tune carefully for legitimate administration, software deployment, backup, vulnerability scanning, and remote management activity.
- Prioritize detections that join endpoint process telemetry with network flow data; network-only detections may miss the initiating process, while endpoint-only visibility may miss broader east-west patterns.
- Investigate whether SMB, RPC, and high-port traffic is expected for the source host role before escalating.
Mitigation priorities
- Improve internal segmentation and restrict unnecessary SMB, RPC, and high-port peer access between Windows systems.
- Maintain least-privilege administrative access and review service accounts that can initiate broad internal connections.
- Ensure Windows endpoint logging and network flow collection are retained long enough to support baselining and incident investigation.
- Document approved administrative and service communication paths so SOC teams can distinguish expected internal traffic from anomalous peer connections.
- Use incident response runbooks that quickly validate source host role, initiating process, user context, and destination peer legitimacy.
Analyst notes and limits
This is a detection analytic object for Windows in the enterprise ATT&CK domain. It provides a behavioral description but no official detection logic, no tactic mapping in the supplied fields, and no relationship context. The strongest use is as a validation prompt for east-west visibility and process-to-network correlation.
The supplied ATT&CK fields do not provide active exploitation evidence, attribution, procedures, mitigations, or a tested detection query. Local baselines, asset roles, and administrative workflows are required to determine what is anomalous and actionable.
Analytic 0204
Anomalous process (e.g., `rundll32`, `svchost`, `cmd`) initiates connections to internal peer hosts not seen in typical communication baselines, used to proxy or forward traffic internally, often using SMB, RPC, or high ports.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3ae77db309df… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0204Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.