Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0760: Analytic 0760

Processes like curl, wget, python, socat, or custom binaries initiating TLS/SSL sessions to non-standard destinations. Defender sees abnormal syscalls for connect(), loading of libssl libraries, and persistent outbound encrypted traffic from daemons not normally communicating externally.

EnterpriseAN0760AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is useful because encrypted outbound traffic from Linux systems can hide command, control, data movement, or unauthorized service behavior from simple network inspection. The business question is not whether curl, wget, python, socat, or custom binaries are bad; it is whether the organization can distinguish expected encrypted egress from unusual TLS sessions started by daemons or tools that should not normally communicate externally.

Executive priority

Prioritize this as an egress visibility and Linux workload monitoring issue. Leaders should ask whether critical Linux servers have defined outbound communication baselines, whether SOC teams can see process-to-network context, and whether encrypted traffic from sensitive systems is governed by policy. This supports incident decision-making, resilience, and audit evidence by showing that outbound encrypted communications are monitored rather than implicitly trusted.

Technical view

For Linux environments, validate whether telemetry can connect outbound TLS/SSL sessions to the initiating process, command context, loaded SSL libraries, and destination characteristics. The supplied analytic points to processes such as curl, wget, python, socat, or custom binaries initiating TLS/SSL sessions to non-standard destinations, with evidence including connect() activity, libssl library loading, and persistent encrypted outbound traffic from daemons not normally communicating externally. Because no ATT&CK tactic or formal detection logic is supplied, teams should treat this as a detection engineering hypothesis requiring local baselines and tuning.

Likely telemetry

  • Linux process execution telemetry for curl, wget, python, socat, daemons, and custom binaries
  • Process-to-network connection records showing outbound destination, port, protocol, and duration
  • System call or endpoint telemetry for connect() activity
  • Library load telemetry for SSL/TLS libraries such as libssl
  • Network egress logs showing persistent encrypted outbound sessions

Detection direction

  • Baseline expected outbound TLS/SSL behavior for Linux servers and service accounts before alerting on tool names alone.
  • Correlate network connections with process identity and parent process context to separate legitimate package retrieval, automation, or health checks from abnormal encrypted egress.
  • Prioritize unusual persistent outbound encrypted traffic from daemons that do not normally communicate externally.
  • Tune for non-standard destinations and uncommon destination patterns rather than assuming all TLS traffic is benign.
  • Account for false positives from administrative scripts, software updates, monitoring agents, backup tools, and approved automation using curl, wget, or python.

Mitigation priorities

  • Define and enforce expected outbound egress paths for Linux workloads, especially sensitive servers.
  • Maintain service and daemon communication baselines so abnormal external TLS sessions are reviewable.
  • Improve endpoint and network telemetry correlation for process-to-destination visibility.
  • Restrict unnecessary outbound access where business function does not require it.
  • Review approved administrative automation that uses curl, wget, python, or socat so detections can be tuned without suppressing meaningful anomalies.
Analyst notes and limits

This object is a detection analytic, not a technique. It provides Linux platform scope and a behavioral description but does not include a formal detection query, tactic mapping, mitigation mapping, or relationship context. The decision value is strongest for organizations operating Linux servers where encrypted outbound communications should be predictable and governed.

No official detection text, tactic, relationship context, attribution, or exploitation status was supplied. Local environment baselines are required to determine what counts as a non-standard destination or an abnormal daemon connection. This summary should not be read as proof of compromise or as guaranteed detection coverage.

Official MITRE ATT&CK definition

Analytic 0760

Processes like curl, wget, python, socat, or custom binaries initiating TLS/SSL sessions to non-standard destinations. Defender sees abnormal syscalls for connect(), loading of libssl libraries, and persistent outbound encrypted traffic from daemons not normally communicating externally.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e8350fd2f170e1ce...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e8350fd2f170…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0760
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use