AN0988: Analytic 0988
Identifies suspicious outbound traffic volume mismatches from processes that typically do not generate network activity, particularly over C2 protocols like HTTPS, DNS, or custom TCP/UDP ports, following file or data access.
Analyst context for executives and security teams
This analytic matters because it looks for a common defensive signal: a Windows process that normally should be quiet on the network suddenly sends unusual outbound traffic after accessing files or data. For leaders, the value is not the specific ATT&CK tactic, which is not supplied here, but the business question it raises: can the organization connect endpoint activity, file/data access, and outbound network behavior quickly enough to recognize possible data movement or command-and-control-like traffic?
Executive priority
Prioritize this as a validation of SOC and incident response readiness rather than as a standalone control. It helps assess whether teams can correlate Windows process behavior with outbound HTTPS, DNS, or custom TCP/UDP traffic and file/data access. The executive decision point is whether current logging, EDR, network monitoring, and investigation workflows provide enough evidence to distinguish unusual process-driven traffic from normal business applications.
Technical view
On Windows, validate whether telemetry can show process identity, file or data access, and subsequent outbound network volume by protocol or destination. Since the official detection field is not provided and no relationships or tactics are supplied, detection engineering should treat AN0988 as a behavioral analytic concept: identify processes that typically do not generate network activity, then alert or triage when those processes produce suspicious outbound volume after file/data access. Tune carefully for legitimate software updaters, scripts, administrative tools, backup agents, and business applications that may create noisy outbound traffic.
Likely telemetry
- Windows process execution and process lineage
- Endpoint network connection events with process attribution
- Outbound traffic volume by process, protocol, destination, and port
- File or data access events from endpoint or EDR telemetry
- DNS query telemetry
Detection direction
- Confirm that endpoint and network telemetry can be joined by host, user, process, time, destination, and protocol.
- Baseline which Windows processes normally have little or no network activity in the local environment before alerting on volume mismatches.
- Correlate outbound traffic spikes with preceding file or data access events rather than relying only on network volume.
- Include HTTPS, DNS, and non-standard TCP/UDP ports in review, as the official description specifically calls out those protocol areas.
- Tune false positives for legitimate automation, administrative activity, software updates, synchronization tools, backup tools, and security products.
Mitigation priorities
- Ensure Windows endpoint telemetry captures process, file/data access, and network connection context needed for investigation.
- Strengthen egress monitoring so unusual outbound traffic over HTTPS, DNS, and custom TCP/UDP ports is visible and reviewable.
- Apply least-privilege and application control principles where feasible to reduce unexpected network-capable processes.
- Maintain baselines for normal process network behavior and review changes after software deployments or operational changes.
- Prepare IR playbooks that guide analysts from an alert to process triage, file access review, user context, destination assessment, and containment decisions.
Analyst notes and limits
AN0988 is a detection analytic, not a technique entry. The supplied ATT&CK fields provide a Windows platform and a behavioral description, but no official detection logic, tactics, related techniques, groups, software, or mitigations. Treat this as guidance for validating telemetry correlation and analytic design, not as proof of adversary activity by itself.
The object has no supplied tactics, relationships, aliases, labels, or official detection text. Any prioritization, thresholds, process lists, destinations, or response actions must be based on local environment baselines and evidence. This take does not claim active exploitation, attribution, guaranteed detection, or coverage beyond Windows as supplied.
Analytic 0988
Identifies suspicious outbound traffic volume mismatches from processes that typically do not generate network activity, particularly over C2 protocols like HTTPS, DNS, or custom TCP/UDP ports, following file or data access.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 623ca3787b9d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0988Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.