AN0972: Analytic 0972
VM or cloud instance generating anomalously high network egress targeting same destination IP or service, especially using stateless protocols.
Analyst context for executives and security teams
This analytic is about spotting an IaaS virtual machine or cloud instance that is sending unusually high outbound network traffic to the same destination IP address or service, particularly over stateless protocols. For leaders, the value is not the specific rule name; it is whether the organization can quickly recognize abnormal cloud egress before it becomes a cost, availability, data exposure, or incident-response problem.
Executive priority
Prioritize this as a cloud security and SOC readiness question: do teams have enough visibility into IaaS network egress to identify abnormal outbound volume from a single instance, and can they determine whether it is approved business activity or suspicious behavior? This supports incident triage, cloud cost control, audit evidence for monitoring, and operational resilience. Because ATT&CK provides no tactic mapping or relationship context here, treat it as a detection validation item rather than proof of a specific adversary objective.
Technical view
For SOC and detection engineering teams, validate whether cloud network telemetry can baseline outbound traffic per VM or instance and alert on anomalously high egress to a repeated destination IP or service. Detection logic should consider destination concentration, volume over time, protocol characteristics, and whether the traffic uses stateless protocols. IR teams should be prepared to enrich alerts with instance owner, workload purpose, recent deployment changes, destination reputation or ownership, security group/routing context, and whether the traffic pattern matches expected application behavior.
Likely telemetry
- Cloud network flow logs or equivalent IaaS network traffic records
- Per-instance outbound byte, packet, and connection metadata
- Destination IP, destination service or port, and protocol fields
- Cloud asset inventory mapping instance IDs to owners, applications, and environments
- Security group, network ACL, route, and firewall policy context
Detection direction
- Confirm that flow or equivalent egress telemetry is enabled for relevant IaaS networks and retained long enough for investigation.
- Baseline normal outbound volume per VM or workload, not only at the account, VPC, or subnet level.
- Tune for repeated high-volume egress to the same destination IP or service, with special attention to stateless protocols as described by the analytic.
- Reduce false positives by allowlisting documented backup, replication, content delivery, monitoring, or data pipeline destinations where appropriate.
- Investigate blind spots where NAT gateways, proxies, load balancers, or shared egress paths may obscure the originating instance.
Mitigation priorities
- Establish ownership and expected network behavior for IaaS workloads so anomalous egress can be judged quickly.
- Enable and retain cloud network egress telemetry across production and high-risk environments.
- Apply least-privilege network egress controls where business requirements allow, rather than permitting unrestricted outbound traffic by default.
- Create response playbooks for isolating or throttling a suspect instance, preserving evidence, and validating business impact before containment.
- Review alert outcomes regularly to tune baselines, suppress known-good high-volume services, and identify monitoring gaps.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique, and no tactic, detection text, or relationship context was provided. The strongest supported interpretation is cloud/IaaS egress anomaly detection focused on high-volume traffic from a VM or instance to a repeated destination. Local workload baselines and cloud architecture determine whether this analytic is actionable.
This take is limited to the official STIX fields and external reference supplied. It does not establish adversary intent, active exploitation, attribution, impact, or guaranteed detection coverage. Applicability depends on the organization’s IaaS telemetry, network architecture, retention, and ability to map traffic back to a specific instance.
Analytic 0972
VM or cloud instance generating anomalously high network egress targeting same destination IP or service, especially using stateless protocols.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4dd36c0a7e83… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0972Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.