Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0499: Analytic 0499

Correlated evidence of browser or webview fetches to uncommon domains or mutated JS resources (proxy/NGFW logs + Zeek/HTTP logs) followed by unexpected interpreters or script engines executing (python, ruby, sh) spawned from browser processes or user sessions, rapid on-disk staging in /tmp, and outbound connections that deviate from baseline. Defender sees: uncommon resource fetch → short-lived child process executions from user browser context → file writes in temp directories → anomalous outbound C2-like connections.

EnterpriseAN0499AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN0499 describes a Linux-focused detection analytic for a suspicious chain: a browser or webview retrieves uncommon or changed web resources, then unexpected interpreters such as python, ruby, or sh run from the browser/user context, files are staged quickly in /tmp, and outbound network connections diverge from normal behavior. The business value is correlation: each event may look benign alone, but together they can indicate a user-driven browser-to-script execution path that deserves rapid SOC triage.

Executive priority

Prioritize this analytic where Linux endpoints, developer workstations, or browser-based workflows are important to operations. Leaders should ask whether proxy/NGFW, Zeek/HTTP, endpoint process, file-write, and outbound connection telemetry are retained and correlated well enough to prove or disprove this behavior during an incident. This is also useful evidence for audit and readiness discussions because it tests whether network and endpoint monitoring can connect web activity to local execution and follow-on outbound traffic.

Technical view

Validate correlation across the sequence described by MITRE: uncommon browser or webview fetches to uncommon domains or mutated JavaScript resources; short-lived child process execution from browser or user-session context involving python, ruby, or sh; rapid file writes in /tmp; and outbound connections that deviate from baseline. Because no tactic or relationship context is supplied, treat this as a detection strategy requiring local baselining rather than a complete ATT&CK technique mapping.

Likely telemetry

  • Proxy or NGFW web request logs
  • Zeek/HTTP logs
  • Endpoint process creation telemetry on Linux
  • Parent-child process relationships for browser/webview processes and user sessions
  • Command interpreter execution records for python, ruby, and sh

Detection direction

  • Correlate network fetches and endpoint activity by host, user session, process context, and time window rather than alerting on a single event type.
  • Baseline common domains, JavaScript resources, browser extensions, developer tooling, and legitimate scripts to reduce false positives.
  • Tune for unexpected interpreter spawning from browser or webview context, especially when followed by temp-directory staging and anomalous outbound connections.
  • Confirm whether logs preserve parent process, command path, user context, destination, and timing; missing fields can break the analytic.
  • Review benign automation, testing frameworks, and developer workflows that may legitimately use browsers, interpreters, /tmp, and outbound connections.

Mitigation priorities

  • Ensure Linux endpoint logging captures process lineage, interpreter execution, and file writes in temporary directories.
  • Maintain proxy/NGFW and Zeek/HTTP visibility for browser-originated resource fetches and uncommon domains.
  • Implement baselines for normal outbound destinations and browser-driven workflows before relying on rarity-based alerting.
  • Harden incident response playbooks to investigate the full chain: fetched resource, spawned process, staged files, and outbound connection.
  • Use this analytic as a control-validation exercise for SOC correlation across network and endpoint data sources.
Analyst notes and limits

The supplied object is a detection analytic, not a technique, and includes no relationships or ATT&CK tactic mapping. Its strength is the described multi-signal correlation on Linux. Glexia would treat it as a readiness and detection-engineering validation item: can the environment connect web telemetry to endpoint process/file activity and then to outbound network behavior?

Official detection content is not provided, and no relationship context is supplied. The analytic is limited to the Linux platform in the supplied fields. Local baselines are required to determine what counts as uncommon, mutated, unexpected, rapid, or anomalous in a specific environment.

Official MITRE ATT&CK definition

Analytic 0499

Correlated evidence of browser or webview fetches to uncommon domains or mutated JS resources (proxy/NGFW logs + Zeek/HTTP logs) followed by unexpected interpreters or script engines executing (python, ruby, sh) spawned from browser processes or user sessions, rapid on-disk staging in /tmp, and outbound connections that deviate from baseline. Defender sees: uncommon resource fetch → short-lived child process executions from user browser context → file writes in temp directories → anomalous outbound C2-like connections.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
6deef1bc4f6be0a3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 6deef1bc4f6b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0499
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use