Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0923: Analytic 0923

`curl`, `wget`, `ncat`, `socat`, or custom binaries initiate outbound traffic to Internet-based proxies (e.g., via VPS or CDN). Behavior may include reverse shell constructs or persistent outbound beacons.

EnterpriseAN0923AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because common Linux transfer and networking tools such as curl, wget, ncat, and socat can create outbound connections to Internet-hosted infrastructure, including VPS or CDN-fronted proxies. For leaders, the business issue is not the tools themselves—they are often legitimate—but whether the organization can distinguish normal administrative or application traffic from suspicious outbound proxying, reverse-shell-like behavior, or persistent beaconing.

Executive priority

Prioritize this as an egress visibility and Linux monitoring question. Security leaders should ask whether Linux servers and workloads have controlled outbound Internet access, whether proxy/CDN/VPS destinations are reviewed, and whether SOC teams can investigate unusual outbound sessions from production systems. This is especially relevant to incident response readiness and compliance evidence because lack of outbound telemetry can leave teams unable to prove whether a host communicated externally during an incident.

Technical view

For Linux environments, validate monitoring around outbound network connections initiated by curl, wget, ncat, socat, and unknown or custom binaries. Because no official detection logic or ATT&CK tactic is supplied, teams should treat this as a detection coverage objective rather than a finished analytic. Focus on process-to-network correlation, command-line context where available, destination reputation or ownership, unusual persistence or beacon timing, and whether the destination appears to be an Internet-based proxy, VPS, or CDN endpoint. Tune carefully because curl and wget are common in administration, package retrieval, automation, and application workflows.

Likely telemetry

  • Linux process creation events including executable name, command line, parent process, user, and working directory
  • Network connection telemetry showing source host, destination IP/domain, port, protocol, connection timing, and byte counts
  • DNS query logs for domains contacted by Linux hosts
  • Web proxy, secure web gateway, firewall, or egress gateway logs
  • Endpoint telemetry capable of linking processes to outbound network activity

Detection direction

  • Inventory where curl, wget, ncat, socat, and custom binaries are expected to run, then alert on unusual hosts, users, parent processes, destinations, or schedules.
  • Correlate outbound connections with process execution rather than relying only on network logs; network-only visibility may miss which binary initiated the traffic.
  • Look for persistent or periodic outbound sessions that could indicate beacon-like behavior, while accounting for legitimate monitoring agents, update jobs, and automation.
  • Review connections to VPS, CDN, or proxy-like Internet infrastructure in context; these destinations can be legitimate and should not be treated as malicious by default.
  • Validate DNS and egress logging retention so incident responders can reconstruct historical outbound activity from Linux systems.

Mitigation priorities

  • Restrict outbound Internet access from Linux servers and workloads to required destinations where operationally feasible.
  • Route Linux egress through monitored proxy, firewall, or gateway controls that preserve useful investigation logs.
  • Apply least privilege to service accounts and administrative access so unexpected tools or custom binaries are harder to execute unnoticed.
  • Maintain endpoint and network telemetry that can correlate process activity with outbound connections.
  • Define approved use cases for curl, wget, ncat, and socat on production systems and review exceptions periodically.
Analyst notes and limits

The supplied object is a detection analytic for Linux outbound traffic initiated by common transfer/network utilities or custom binaries toward Internet-based proxy infrastructure, with possible reverse shell constructs or persistent outbound beacons. There are no supplied tactics, relationships, aliases, labels, or official detection logic, so this take emphasizes validation questions, telemetry requirements, and conservative tuning guidance rather than a specific ATT&CK technique mapping.

This assessment is limited to the supplied ATT&CK analytic fields and external reference. It does not establish active exploitation, adversary attribution, specific malware, business impact, or existing detection coverage. Local asset roles, expected automation, network architecture, and logging quality are required to determine material risk and alert thresholds.

Official MITRE ATT&CK definition

Analytic 0923

`curl`, `wget`, `ncat`, `socat`, or custom binaries initiate outbound traffic to Internet-based proxies (e.g., via VPS or CDN). Behavior may include reverse shell constructs or persistent outbound beacons.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
49bdb4399e6cae30...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 49bdb4399e6c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0923
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use