AN1020: Analytic 1020

Suspicious processes (e.g., Tor clients, relays, unknown binaries) launch with sustained encrypted outbound traffic to known anonymity infrastructure (e.g., Tor, I2P), and may relay to additional internal systems via reverse proxying, ICMP tunneling, or socket forwarding.

EnterpriseAN1020AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

This analytic is about spotting Windows systems that run suspicious processes and maintain encrypted outbound traffic to anonymity infrastructure such as Tor or I2P. For leaders, the value is not the specific tool name; it is whether the organization can quickly identify endpoints that may be hiding command-and-control, proxying, tunneling, or unauthorized relay activity behind encrypted traffic patterns.

Executive priority

Prioritize this as a validation point for egress visibility and incident readiness on Windows endpoints. The business question is whether security teams can distinguish approved privacy/anonymity use from suspicious sustained encrypted connections, and whether they have enough endpoint and network evidence to make a timely containment decision. This supports resilience, audit evidence for monitoring controls, and SOC/IR readiness, but the ATT&CK object does not provide evidence of active exploitation or a specific threat actor.

Technical view

For SOC and detection engineering teams, validate visibility for Windows process execution correlated with sustained encrypted outbound network sessions to known anonymity infrastructure, including Tor or I2P indicators where available. Because the official detection field is not provided and there are no relationship links supplied, this should be treated as an analytic concept requiring local tuning rather than a complete detection rule. Investigations should focus on process lineage, binary reputation or allowlisting status, destination categorization, connection duration/volume, and whether the host appears to be forwarding traffic for other internal systems through reverse proxying, ICMP tunneling, or socket forwarding.

Likely telemetry

Windows process creation and process lineage events
Endpoint network connection telemetry from Windows hosts
Firewall, proxy, DNS, and egress flow logs
Threat intelligence or categorization for known Tor, I2P, or other anonymity infrastructure
Endpoint file metadata and binary reputation or allowlist status

Detection direction

Correlate suspicious or unknown Windows processes with sustained encrypted outbound connections to known anonymity infrastructure rather than alerting on destination alone.
Tune for approved business, research, privacy, or security-testing use cases to reduce false positives.
Validate whether telemetry can show both the local process and the external encrypted session; network-only visibility may not identify the responsible binary.
Look for relationship-driven context inside the environment, such as one host forwarding or proxying traffic for another internal host, but do not assume this behavior without supporting flow evidence.
Document blind spots where encrypted traffic, incomplete endpoint logging, unmanaged hosts, or missing destination intelligence would prevent confident triage.

Mitigation priorities

Establish and review policy for permitted anonymity-network software and encrypted egress from Windows endpoints.
Harden egress controls so unusual outbound encrypted traffic is monitored, restricted, or requires explicit approval where business-appropriate.
Maintain endpoint logging that captures process execution and network connections with sufficient retention for incident response.
Use application control or allowlisting for high-risk Windows environments where unauthorized binaries create material operational risk.
Ensure SOC playbooks define how to triage suspected anonymity infrastructure connections, including containment criteria and business-owner validation.

Analyst notes and limits

This object is a MITRE detection analytic, AN1020, for the enterprise ATT&CK domain and Windows platform. Its official description highlights suspicious processes launching with sustained encrypted outbound traffic to anonymity infrastructure and possible relay behavior through reverse proxying, ICMP tunneling, or socket forwarding. No tactics, relationships, aliases, or official detection logic were supplied, so the take emphasizes validation questions, telemetry requirements, and conservative control priorities.

The supplied ATT&CK fields do not include a formal detection query, mapped tactics or techniques, related software, threat groups, mitigations, or data components. Local environment baselines, approved software inventory, egress architecture, and available endpoint/network telemetry are required before this can be converted into a reliable detection or risk statement.

Official MITRE ATT&CK definition

Analytic 1020

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: 24cd1a1e893aa783...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`24cd1a1e893a…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1020
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use