AN0633: Analytic 0633

Processes initiating outbound connections on uncommon ports or using protocols inconsistent with the assigned port. Correlating process creation with subsequent network connections reveals anomalies such as svchost.exe or Office applications using high, atypical ports.

EnterpriseAN0633AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

AN0633 is a Windows detection analytic focused on finding processes that make outbound network connections on unusual ports or use protocols that do not match the expected port. Its business value is in surfacing command-and-control-like or policy-violating network behavior that may be missed if teams only monitor domains, IP addresses, or malware signatures. For leaders, the key question is whether endpoint process activity and network connection evidence can be correlated quickly enough to support incident triage and containment.

Executive priority

Prioritize this analytic where Windows endpoints are important to business operations and where outbound network access is a material control point. It helps validate whether SOC and incident response teams can connect “which process did it” to “where did it connect,” which is often decisive for scoping an incident, justifying containment, and producing audit evidence for monitoring controls. Because ATT&CK provides no tactic mapping or relationship context for this object, it should be treated as a coverage validation analytic rather than a standalone risk conclusion.

Technical view

SOC and detection teams should validate correlation between Windows process creation telemetry and outbound network connection telemetry. The analytic is concerned with processes initiating outbound connections on uncommon ports or with protocol/port mismatches, including examples such as svchost.exe or Office applications using high, atypical ports. Detection engineering should define local baselines for expected process-to-port behavior, then alert on deviations that are rare for the environment and meaningful to investigate.

Likely telemetry

Windows process creation events, including executable name/path, command line where available, parent process, user, host, and timestamp
Endpoint or host-based network connection events showing destination IP, destination port, protocol, process identity, user, host, and timestamp
Network security logs or flow records that can corroborate outbound destination, port, and protocol
Asset and application context to distinguish approved business applications from unusual process-to-port behavior

Detection direction

Confirm that process creation and outbound network connection events can be joined by host, process, user, and time window.
Baseline common Windows service, browser, Office, management, and business application network behavior before treating uncommon ports as suspicious.
Tune for environment-specific exceptions such as approved agents, updaters, remote support tools, and internal applications that legitimately use high or nonstandard ports.
Investigate protocol and port inconsistency, not only rare ports; mismatches may be more useful than port rarity alone.
Because no official detection logic is supplied, test candidate analytics against local telemetry quality and false-positive rates before operational use.

Mitigation priorities

Ensure Windows endpoint logging or EDR configuration captures both process creation and process-associated network connections.
Restrict unnecessary outbound connectivity through network egress controls where operationally feasible.
Maintain an approved application and service inventory to support exception handling and faster triage.
Use incident response playbooks that require analysts to identify the initiating process, user, host, destination, and business justification before closing alerts.
Review monitoring evidence periodically for compliance readiness, especially where outbound traffic control is part of the control framework.

Analyst notes and limits

This object is an ATT&CK detection analytic, not a technique. The supplied description supports Windows-focused detection engineering around anomalous process-to-port behavior. No tactics, related techniques, groups, software, campaigns, or official detection logic were supplied, so this take avoids attribution and active exploitation claims.

Coverage depends on local telemetry fidelity and the ability to correlate endpoint process events with network connection records. “Uncommon” and “atypical” are environment-dependent, so local baselining is required. The object contains no official detection implementation, no relationship context, and no non-Windows platform support.

Official MITRE ATT&CK definition

Analytic 0633

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: 21babe98bf659a69...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`21babe98bf65…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0633
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use