AN0637: Analytic 0637

Initial process initiates outbound connection to first-stage C2, receives payloads or commands, then spawns or injects into a second process that establishes a new outbound connection to an unrelated destination (second-stage C2).

EnterpriseAN0637AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

This analytic describes a Windows pattern where an initial process talks to a first-stage command-and-control destination, then causes a second process to make a separate outbound connection to an unrelated destination. For leaders, the practical issue is whether the organization can connect process activity with network activity across time and process lineage; without that linkage, staged intrusions can look like isolated outbound connections rather than one coordinated sequence.

Executive priority

Prioritize this as a validation point for SOC and incident response readiness rather than as a standalone risk claim. It tests whether endpoint and network telemetry can support decisions during an intrusion: which process started the activity, whether a second process was spawned or injected into, and whether outbound destinations changed in a suspicious sequence. This is relevant to business continuity because missed staged C2 behavior can delay containment and increase uncertainty during incident triage.

Technical view

For Windows environments, validate whether detections can correlate an initial process making an outbound connection, receiving follow-on content or commands, and then spawning or injecting into another process that makes a new outbound connection to an unrelated destination. Because the ATT&CK object provides no official detection logic and no tactic mapping, teams should treat this as a behavior-correlation use case, not a signature. IR teams should ensure investigations preserve process lineage, network connection timing, destination metadata, and evidence of process creation or injection-like behavior.

Likely telemetry

Windows process creation events with parent-child relationships
Endpoint telemetry showing process injection or cross-process activity, where available
Network connection telemetry tied to process identity
DNS and destination metadata for first-stage and second-stage outbound connections
EDR event timelines linking process activity to outbound connections

Detection direction

Validate correlation between endpoint process lineage and outbound network connections, rather than alerting only on individual destinations.
Look for sequences where one process establishes outbound communication and shortly afterward spawns or manipulates a second process that connects to a different external destination.
Tune for environment-specific false positives such as legitimate updaters, browsers, scripting tools, remote management software, and security agents that spawn helper processes and contact multiple services.
Identify blind spots where network logs lack process context or endpoint telemetry lacks destination details; either gap can prevent confident confirmation of the described behavior.
Because no official detection text or relationship context is supplied, require local baselining and analyst review before treating matches as high-confidence malicious activity.

Mitigation priorities

Ensure Windows endpoint telemetry and network telemetry are both collected and time-synchronized.
Strengthen EDR coverage for process creation, parent-child lineage, and cross-process behavior where supported.
Review egress monitoring controls so unusual process-to-destination patterns can be investigated, even when the destinations themselves are not known-bad.
Maintain incident response playbooks that preserve endpoint timelines, network logs, DNS data, and proxy/firewall records for staged outbound activity.
Use allowlisting, least privilege, and application control where appropriate to reduce unauthorized process spawning and execution paths, while validating operational impact.

Analyst notes and limits

This object is a detection analytic, not a technique description. The supplied ATT&CK fields identify Windows as the platform and describe a staged outbound C2 pattern involving process spawning or injection into a second process. No tactics, official detection logic, aliases, labels, or relationship context were supplied, so the take focuses on defensive validation and telemetry requirements.

Assessment is limited to the supplied ATT&CK analytic fields and external reference. It does not establish active exploitation, adversary attribution, prevalence, impact, or guaranteed detection coverage. Local environment baselines and available telemetry determine whether this behavior can be detected reliably.

Official MITRE ATT&CK definition

Analytic 0637

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: bc110116aab60f86...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`bc110116aab6…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0637
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use