Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0400: Analytic 0400

Processes that typically do not perform cryptographic operations loading symmetric encryption libraries (e.g., bcryptprimitives.dll, aes.dll), then initiating outbound connections with high-entropy payloads. Defender correlates process creation, DLL load, and anomalous encrypted traffic patterns.

EnterpriseAN0400AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it looks for a Windows process behaving outside its normal role: loading symmetric encryption libraries and then sending outbound traffic with high-entropy payloads. For leaders, the decision value is whether the organization can correlate endpoint process activity, DLL loads, and network traffic characteristics quickly enough to distinguish unusual encrypted communications from normal application behavior.

Executive priority

Prioritize this as a coverage-validation item for SOC readiness and incident response rather than as a standalone risk statement. It tests whether teams have the telemetry and correlation capability to investigate suspicious encrypted outbound activity from Windows systems, especially when the process involved is not normally expected to perform cryptographic operations. Executives should ask whether endpoint and network monitoring can be joined during an incident and whether exceptions for legitimate encrypted applications are documented.

Technical view

The supplied ATT&CK analytic describes correlation across three evidence points on Windows: process creation, loading of symmetric encryption libraries such as bcryptprimitives.dll or aes.dll, and outbound connections with high-entropy payloads. SOC and detection engineering teams should validate whether their tooling can identify processes that rarely or never load these libraries, correlate that with outbound network activity, and assess anomalous encrypted payload patterns. Because no ATT&CK tactic, relationship context, or official detection logic is supplied, this should be treated as a detection engineering pattern requiring local baselining and tuning.

Likely telemetry

  • Windows process creation telemetry
  • Windows DLL/module load telemetry for symmetric encryption libraries
  • Outbound network connection metadata
  • Network payload or flow-derived entropy/anomaly indicators where legally and technically available
  • Process-to-network correlation data from EDR, SIEM, NDR, or equivalent logging pipelines

Detection direction

  • Baseline which Windows processes normally load symmetric encryption libraries and which do not.
  • Correlate unusual DLL loads with outbound connections from the same process and host within a relevant time window.
  • Tune for legitimate software that performs encryption, update, backup, browser, security, or enterprise application functions to reduce false positives.
  • Validate whether high-entropy payload assessment is actually available; many environments only retain metadata, not payload-derived features.
  • Treat alerts as triage leads requiring process lineage, destination context, and host role review because the supplied object provides no standalone detection logic.

Mitigation priorities

  • Ensure endpoint logging captures process creation and DLL/module loads on Windows systems where this analytic is expected to operate.
  • Ensure network monitoring captures outbound connection metadata and, where appropriate, traffic characteristics needed for encrypted-payload anomaly analysis.
  • Document expected encryption behavior for common enterprise applications to support tuning and audit evidence.
  • Strengthen incident response playbooks for suspicious outbound encrypted traffic, including host isolation decision criteria and evidence preservation.
  • Review egress monitoring and control strategy for systems where unexpected encrypted outbound traffic could affect business continuity.
Analyst notes and limits

This Glexia take is based only on ATT&CK analytic AN0400. The object is a detection analytic, not a technique, and no tactics, relationships, aliases, or official detection implementation were supplied. The practical value is in validating cross-domain correlation between Windows endpoint telemetry and outbound network behavior.

The supplied ATT&CK fields do not identify adversaries, active exploitation, affected products beyond the Windows platform, specific tactics, or exact detection logic. Local baselines are required to determine which processes are unusual in a given environment and whether high-entropy outbound payload analysis is available or permissible.

Official MITRE ATT&CK definition

Analytic 0400

Processes that typically do not perform cryptographic operations loading symmetric encryption libraries (e.g., bcryptprimitives.dll, aes.dll), then initiating outbound connections with high-entropy payloads. Defender correlates process creation, DLL load, and anomalous encrypted traffic patterns.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
193c7c89b42b865e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 193c7c89b42b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0400
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use