AN0401: Analytic 0401
Unexpected processes (e.g., bash, python, custom binaries) dynamically loading libcrypto or performing AES/RC4 encryption operations, then initiating outbound sessions with abnormal byte entropy or asymmetric traffic patterns.
Analyst context for executives and security teams
This analytic is about spotting Linux processes that unexpectedly use cryptographic libraries or encryption operations and then make suspicious outbound network connections. For executives and security leaders, the value is not the crypto use itself—many legitimate tools encrypt data—but whether the organization can distinguish normal encrypted business activity from unusual process-and-network behavior that may matter during an incident.
Executive priority
Prioritize this as a coverage-validation question for Linux workloads: do SOC and IR teams have enough process, library-loading, and network telemetry to explain which programs are using encryption and where they are communicating? This can support incident triage, control assurance, and audit evidence for monitored Linux environments, but it should not be treated as a standalone indicator of compromise without local baselines and investigation context.
Technical view
For Linux systems, validate whether monitoring can correlate unexpected processes such as shells, Python, or custom binaries with dynamic loading of libcrypto or observed AES/RC4 encryption operations, followed by outbound sessions showing abnormal byte entropy or asymmetric traffic patterns. Because no ATT&CK tactic, technique relationship, or official detection logic is supplied, teams should treat this as a behavioral analytic concept requiring environment-specific baselining and tuning.
Likely telemetry
- Linux process execution telemetry
- Dynamic library load telemetry, especially libcrypto usage
- Endpoint visibility into command interpreters, scripting runtimes, and custom binaries
- Network connection metadata for outbound sessions
- Traffic characteristics such as byte counts, directionality, entropy indicators, or asymmetric flow patterns
Detection direction
- Validate that process activity can be joined to library-loading and outbound network session data on Linux systems.
- Baseline legitimate encryption-heavy applications and administrative scripts to reduce false positives.
- Review unexpected use of bash, python, or custom binaries in combination with crypto library loading and unusual outbound traffic, rather than alerting on any one signal alone.
- Tune for abnormal destinations, traffic asymmetry, or entropy patterns when those features are available in telemetry.
- Document blind spots where endpoint sensors cannot observe library loads, where network tools cannot attribute connections to processes, or where encrypted traffic characteristics are not collected.
Mitigation priorities
- Ensure Linux endpoint and network telemetry collection is enabled and retained at a level sufficient for incident response correlation.
- Harden and govern use of scripting runtimes and custom binaries on sensitive Linux systems where operationally feasible.
- Apply least privilege and change control around services and workloads that should not initiate arbitrary outbound sessions.
- Use egress controls and network segmentation to limit unexpected outbound communications from Linux assets.
- Maintain baselines of approved encryption-using applications so detection engineering can separate normal business activity from anomalous behavior.
Analyst notes and limits
The supplied object is a detection analytic, not a technique or campaign. Its decision value is in validating correlated Linux host-and-network visibility around crypto use and outbound traffic behavior. The description names example processes and crypto indicators, but local asset roles and normal application behavior are essential for interpretation.
No official detection logic, tactics, relationships, procedures, mitigations, or data source mappings were supplied. This take is therefore limited to the provided Linux platform and analytic description and should not be read as evidence of active exploitation, attribution, impact, or guaranteed detection coverage.
Analytic 0401
Unexpected processes (e.g., bash, python, custom binaries) dynamically loading libcrypto or performing AES/RC4 encryption operations, then initiating outbound sessions with abnormal byte entropy or asymmetric traffic patterns.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 47ada7bd3af1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0401Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.