Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0424: Analytic 0424

Detects file access or compression utilities followed by outbound connections using curl, wget, ftp, or custom binaries communicating over unencrypted protocols.

EnterpriseAN0424AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it looks for a common data-movement pattern on Linux systems: files are accessed or compressed and then an outbound transfer tool or custom binary communicates over an unencrypted protocol. For leaders, the value is not just catching a tool like curl or wget; it is validating whether the organization can see suspicious staging-and-transfer behavior before it becomes a larger incident involving data loss, compliance exposure, or operational disruption.

Executive priority

Prioritize this as a visibility and response-readiness question for Linux environments. Security leaders should ask whether SOC teams can correlate local file activity, compression activity, and outbound network connections into a single investigation story. The business decision value is strongest for systems that store regulated data, operational data, intellectual property, or sensitive logs, because unencrypted outbound movement can create both incident response urgency and audit evidence gaps.

Technical view

For SOC, detection engineering, and IR teams, validate telemetry that can connect Linux file access or compression utilities with subsequent outbound connections from curl, wget, ftp, or non-standard/custom binaries using unencrypted protocols. Because ATT&CK does not provide a formal detection body for this analytic, implementation should be treated as a correlation use case rather than a single indicator. Tune around expected administrative automation, package retrieval, backups, monitoring scripts, and application workflows that legitimately use these tools.

Likely telemetry

  • Linux process execution events for file access tools, compression utilities, curl, wget, ftp, and unusual/custom binaries
  • Command-line arguments showing source paths, archive names, destination hosts, URLs, or protocol usage where available
  • File system activity showing access to sensitive directories or creation of compressed archives
  • Outbound network connection logs from Linux hosts, including destination IP/host, port, protocol, and process context where available
  • Proxy, firewall, or network sensor logs that can identify unencrypted outbound transfer behavior

Detection direction

  • Correlate file access or compression activity followed closely by outbound unencrypted connections from the same Linux host and, where possible, the same user or process tree.
  • Give higher investigative priority to events involving sensitive paths, newly created archives, unusual destination hosts, rare binaries, or outbound connections inconsistent with the host’s normal role.
  • Tune expected use of curl, wget, and ftp by administrators, deployment tooling, update workflows, and scheduled jobs to reduce false positives without suppressing novel destinations or unusual data paths.
  • Validate whether telemetry preserves command line, parent process, user, working directory, and network destination context; without these fields, the analytic may produce weak or unactionable alerts.
  • Because no ATT&CK relationships or tactics are supplied, avoid assuming a specific campaign stage and use this analytic as behavioral evidence requiring local triage context.

Mitigation priorities

  • Inventory Linux systems where outbound unencrypted transfer tools are allowed and determine whether that is necessary for business operations.
  • Restrict or monitor outbound unencrypted protocols from sensitive Linux servers, prioritizing systems that store regulated, operational, or high-value business data.
  • Apply least-privilege access to sensitive files and directories so routine users and service accounts cannot easily stage data they do not need.
  • Establish approved administrative transfer methods and document exceptions so the SOC can distinguish sanctioned automation from suspicious behavior.
  • Ensure incident response playbooks cover rapid validation of file staging, archive creation, destination ownership, and potential data exposure when this analytic fires.
Analyst notes and limits

This Glexia take is based only on the supplied ATT&CK analytic description: Linux file access or compression utilities followed by outbound connections using curl, wget, ftp, or custom binaries over unencrypted protocols. No official detection logic, tactics, relationships, aliases, or procedure examples were supplied, so the strongest use is as a defensive validation pattern for telemetry coverage and correlation design.

The source object is sparse: tactics are not specified, official detection content is not provided, and no related techniques, mitigations, data sources, or adversary relationships were supplied. Local asset criticality, normal administrative behavior, network architecture, and logging depth are required before assigning severity or measuring coverage.

Official MITRE ATT&CK definition

Analytic 0424

Detects file access or compression utilities followed by outbound connections using curl, wget, ftp, or custom binaries communicating over unencrypted protocols.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a7be4bcaf5051160...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a7be4bcaf505…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0424
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use