AN0969: Analytic 0969

High-volume packet generation by local processes (e.g., PowerShell, cmd, curl.exe) or network service processes resulting in excessive outbound traffic over short time window, correlated with abnormal resource usage or degraded host responsiveness.

EnterpriseAN0969AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

Analytic 0969 is relevant because it focuses on Windows hosts that suddenly generate excessive outbound network traffic from local processes such as PowerShell, cmd, curl.exe, or network service processes, especially when the host also shows abnormal resource usage or degraded responsiveness. For leaders, the practical issue is operational resilience: a single endpoint or service host producing high-volume traffic can indicate abuse, misconfiguration, or a process-level event that may disrupt local performance or network capacity and requires fast triage.

Executive priority

Treat this as a validation point for endpoint and network visibility rather than a standalone detection claim. Security leaders should ask whether SOC and incident response teams can quickly identify which Windows process generated abnormal outbound traffic, whether endpoint performance data is retained, and whether response teams can distinguish suspicious activity from legitimate high-volume business processes. This supports incident decision-making, continuity planning, and audit evidence around monitoring of anomalous endpoint and network behavior.

Technical view

For SOC and detection teams, the key validation is correlation: high outbound packet or traffic volume over a short time window should be tied back to the originating Windows host process and compared with host health indicators such as CPU, memory, network utilization, and responsiveness. Because the ATT&CK object provides no tactic, relationship context, or official detection logic, teams should avoid treating process names alone as sufficient. PowerShell, cmd, curl.exe, and service processes can be legitimate; the analytic value comes from volume, timing, process lineage where available, and host degradation context.

Likely telemetry

Windows endpoint process execution records
Endpoint network connection or flow telemetry with process attribution
Network flow or packet-volume summaries by host and destination
Host resource telemetry such as CPU, memory, network interface utilization, and responsiveness indicators
Command-line and parent/child process context where collected

Detection direction

Validate that outbound traffic spikes can be attributed to a local Windows process, not only to an IP address or hostname.
Tune thresholds by host role; developer workstations, update servers, backup systems, proxies, and application servers may legitimately generate high outbound volume.
Correlate short-window traffic volume with abnormal resource usage or degraded host responsiveness, as described by the analytic.
Review command interpreters and transfer-capable utilities such as PowerShell, cmd, and curl.exe in context, but do not alert solely on their presence.
Identify blind spots where network telemetry lacks process attribution or where endpoint telemetry is not retained long enough for incident reconstruction.

Mitigation priorities

Prioritize visibility first: confirm Windows endpoint, network flow, and host performance telemetry are collected and time-synchronized.
Define baselines and thresholds for high-volume outbound traffic by host role and business function.
Ensure incident responders have playbooks for isolating or investigating a Windows host that is generating excessive outbound traffic and showing degraded performance.
Review least-privilege and execution-control practices for command interpreters and transfer utilities where appropriate to the environment.
Maintain change-management context for legitimate high-volume jobs such as backups, software distribution, updates, and data transfers to reduce false positives.

Analyst notes and limits

The supplied object is a detection analytic for Windows and describes behavior involving high-volume packet generation by local or service processes with abnormal resource usage or degraded responsiveness. No ATT&CK tactic, related technique, relationship context, or official detection query was supplied, so this take frames the analytic as a visibility and triage requirement rather than a confirmed threat behavior by itself.

This assessment is limited to the supplied ATT&CK fields and external reference. It does not establish attacker intent, active exploitation, attribution, impact, or coverage. Local baselines, host roles, telemetry quality, and incident context are required to determine whether any observed high-volume outbound traffic is suspicious or benign.

Official MITRE ATT&CK definition

Analytic 0969

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: 7f33d97549c08ed0...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`7f33d97549c0…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0969
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use