AN0565: Analytic 0565
Applications such as `curl`, `wget`, or custom binaries initiate HTTPS connections where the TLS SNI is mismatched or absent while HTTP Host targets CDN-available C2 endpoints.
Analyst context for executives and security teams
This analytic highlights a practical egress-detection problem on Linux: command-line tools or custom binaries may make HTTPS connections where the TLS Server Name Indication is missing or does not match the HTTP Host header, with the Host pointing at CDN-reachable command-and-control infrastructure. For leaders, the value is not the specific tool name; it is whether the organization can see and govern outbound encrypted traffic well enough to spot suspicious domain-fronting-like inconsistencies.
Executive priority
Prioritize this where Linux systems have internet egress, production workloads can run tools such as curl or wget, or incident response depends on reconstructing outbound connections. The business question is whether security teams can prove, during an investigation or audit, that they capture enough network and endpoint evidence to identify mismatched TLS/HTTP routing indicators without disrupting legitimate CDN-dependent business traffic.
Technical view
SOC and detection teams should validate Linux endpoint and network visibility for HTTPS sessions where SNI is absent or inconsistent with the HTTP Host header. Because ATT&CK provides no official detection logic, teams should treat AN0565 as a validation prompt: confirm whether logs expose process name, command context, destination, TLS SNI, HTTP Host, and timing correlations. Focus on Linux executions of curl, wget, or unknown binaries initiating outbound HTTPS, especially when network metadata suggests CDN-routable destinations and header inconsistency.
Likely telemetry
- Linux process execution telemetry for curl, wget, and custom or uncommon binaries
- Endpoint network connection telemetry tying process context to destination IP, port, and timestamp
- Proxy, secure web gateway, firewall, or network sensor logs containing TLS SNI
- HTTP Host header logging where legally and technically available
- DNS resolution logs for destination domains
Detection direction
- Validate whether existing sensors can compare TLS SNI with HTTP Host for the same session; many environments log one but not both.
- Tune carefully for legitimate CDN, proxy, monitoring, package-management, and automation traffic that may use curl or wget frequently.
- Correlate network anomalies with Linux process execution to reduce false positives from shared infrastructure or benign CDN behavior.
- Review blind spots where direct internet egress bypasses proxies, encrypted traffic is not logged with sufficient metadata, or endpoint telemetry lacks command/process lineage.
- Because no ATT&CK relationships or tactics were supplied, do not infer adversary stage; use this analytic as a behavior-specific detection engineering test.
Mitigation priorities
- Establish governed egress paths for Linux systems and reduce unmanaged direct outbound HTTPS where feasible.
- Ensure proxy or network controls preserve actionable TLS SNI and HTTP Host metadata for investigation and compliance evidence.
- Baseline approved automation that uses curl or wget so anomalous usage is easier to distinguish.
- Apply least-privilege and change-control expectations to systems that can run custom binaries and initiate internet connections.
- Document exceptions for CDN-dependent services so detection tuning does not rely on broad allowlisting that hides header mismatches.
Analyst notes and limits
AN0565 is a detection analytic, not a technique description. Its decision value is in testing whether Linux endpoint and network telemetry can expose suspicious inconsistencies between TLS SNI and HTTP Host targeting CDN-available endpoints. No relationship context was supplied, so this take avoids attribution, campaign linkage, or impact assumptions.
The official object provides no detection logic, no tactics, and no relationships. Local validation is required to determine log availability, false-positive rates, encrypted-traffic visibility, and whether business applications legitimately produce similar SNI/Host patterns.
Analytic 0565
Applications such as `curl`, `wget`, or custom binaries initiate HTTPS connections where the TLS SNI is mismatched or absent while HTTP Host targets CDN-available C2 endpoints.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0805bd12007b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0565Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.