AN0989: Analytic 0989
Monitors for processes reading sensitive files then immediately initiating unusual outbound connections or bulk transfer sessions over persistent sockets, particularly with encrypted or binary payloads.
Analyst context for executives and security teams
AN0989 is a Linux detection analytic focused on a high-risk pattern: a process reads sensitive files and then quickly opens unusual outbound or bulk-transfer network sessions, especially persistent encrypted or binary connections. For leaders, this matters because the combination of sensitive-file access plus outbound transfer is closer to a business-risk signal than either event alone; it can inform incident triage, data-loss review, and whether Linux server telemetry is sufficient to prove what happened.
Executive priority
Prioritize this analytic where Linux systems store credentials, regulated data, operational data, or other sensitive files. The decision value is in validating whether the organization can correlate host file access with network egress quickly enough to support incident response and compliance evidence. Leadership should ask which Linux assets hold sensitive files, whether outbound connections from those assets are baselined, and whether SOC teams can distinguish approved bulk transfer activity from unusual transfer behavior.
Technical view
For SOC and detection engineering teams, validate correlation between Linux process-level file-read activity and near-immediate outbound network activity from the same process or host. The supplied analytic description emphasizes sensitive file reads, unusual outbound connections, bulk transfer sessions, persistent sockets, and encrypted or binary payloads. Because no ATT&CK detection text or relationship context is supplied, local implementation should define what files are considered sensitive, what time window counts as immediate, what destinations or protocols are unusual, and which business processes legitimately perform bulk transfers.
Likely telemetry
- Linux process execution and process identity metadata
- Linux file access/read telemetry for sensitive paths or files
- Host-to-network connection telemetry tied to process, user, host, destination, port, and timing
- Network flow records showing outbound volume, session duration, and persistence
- Proxy, firewall, or egress gateway logs for outbound connections
Detection direction
- Correlate sensitive file-read events with outbound sessions from the same process, user, or host within a short time window.
- Baseline approved Linux services and administrative jobs that legitimately read sensitive files and perform outbound transfers to reduce false positives.
- Tune for unusual destinations, uncommon ports, long-lived sockets, high outbound volume, or first-seen transfer patterns rather than file access alone.
- Validate visibility gaps: many environments collect network flow data but lack process-to-connection mapping or file-read auditing on Linux.
- Use asset criticality and data classification to prioritize alerts from systems holding sensitive or regulated information.
Mitigation priorities
- Identify and classify Linux systems and files considered sensitive so detection scope is explicit.
- Enable or improve Linux file access, process, and network telemetry needed to link file reads to outbound connections.
- Restrict and monitor outbound egress from sensitive Linux systems, especially to destinations or protocols not required for business operations.
- Review service accounts, scheduled jobs, and transfer mechanisms that may create expected bulk-transfer behavior.
- Create incident response playbooks for validating whether observed transfers were authorized, what files were accessed, and whether containment is needed.
Analyst notes and limits
This take is based only on the supplied MITRE ATT&CK analytic fields. The object is an enterprise ATT&CK detection analytic for Linux, with no specified tactics, no supplied official detection procedure, and no relationship context. The strongest use case is defensive validation: confirming whether file-access and egress telemetry can be correlated into an actionable signal.
The supplied object does not identify related techniques, tactics, adversary groups, software, mitigations, or active exploitation. It also does not define specific sensitive files, thresholds, time windows, protocols, or payload inspection methods. Local environment baselines and legal/privacy constraints are required before operationalizing this analytic.
Analytic 0989
Monitors for processes reading sensitive files then immediately initiating unusual outbound connections or bulk transfer sessions over persistent sockets, particularly with encrypted or binary payloads.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | aced65059265… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0989Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.