AN0423: Analytic 0423
Detects data access or staging events followed by outbound data flows using unencrypted protocols (e.g., FTP, HTTP) initiated by unexpected processes or to rare destinations.
Analyst context for executives and security teams
This analytic matters because it looks for a common business-risk pattern: data being accessed or staged and then sent outbound over unencrypted protocols such as FTP or HTTP by processes or to destinations that are not expected. For leaders, the value is not just detecting a network transfer; it is validating whether the organization can see potential data movement before it becomes a reportable incident, audit issue, or operational disruption.
Executive priority
Prioritize this as a data-loss and incident-readiness control validation for Windows environments. Executives should ask whether SOC and IR teams can correlate endpoint activity with outbound network flows, identify rare destinations, and explain which business processes legitimately use unencrypted outbound protocols. This helps focus investment on telemetry quality, egress governance, and evidence needed for compliance or incident decision-making.
Technical view
AN0423 is a Windows-focused detection analytic for data access or staging events followed by outbound data flows over unencrypted protocols, specifically examples such as FTP and HTTP, initiated by unexpected processes or to rare destinations. SOC teams should validate whether endpoint data access or staging signals can be correlated with proxy, firewall, DNS, and network flow telemetry. Because no official detection logic is provided, implementation should be environment-specific and should define baselines for expected processes, approved destinations, and legitimate unencrypted traffic.
Likely telemetry
- Windows endpoint process execution telemetry
- Windows file or data access and staging indicators where available
- Outbound network connection logs from endpoints
- Proxy logs showing HTTP destinations and initiating hosts or users
- Firewall or network flow records for outbound FTP and HTTP
Detection direction
- Validate correlation between data access or staging activity and subsequent outbound FTP or HTTP flows from the same Windows host or user context.
- Tune around approved business applications that legitimately use HTTP or FTP to reduce false positives.
- Define what constitutes an unexpected process for outbound data transfer in the local environment.
- Use rarity logic carefully: rare destinations can be suspicious, but new SaaS services, software updates, or business partner transfers may also appear rare.
- Confirm whether telemetry identifies the initiating process for network connections; without process-to-network linkage, this analytic may be weak.
Mitigation priorities
- Inventory and justify legitimate outbound FTP and HTTP use from Windows systems.
- Restrict or govern unnecessary unencrypted outbound protocols through egress controls where business requirements allow.
- Improve endpoint and network telemetry needed to correlate file activity, process context, and outbound flows.
- Maintain allowlists for approved processes and destinations, with periodic review to avoid stale exceptions.
- Prepare IR playbooks for suspected data staging followed by outbound transfer, including containment, evidence preservation, and business-owner validation.
Analyst notes and limits
The ATT&CK object provides an analytic description but no official detection logic, tactics, or relationship context. The most useful local work is to convert the described behavior into environment-specific correlation rules and validate whether endpoint and network data can support them.
This take is based only on the supplied ATT&CK STIX fields and external reference for AN0423. No active exploitation, threat actor attribution, specific technique relationship, or guaranteed detection coverage is implied. Platforms are limited to Windows as supplied.
Analytic 0423
Detects data access or staging events followed by outbound data flows using unencrypted protocols (e.g., FTP, HTTP) initiated by unexpected processes or to rare destinations.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 33a18040736e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0423Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.