AN1021: Analytic 1021
Tools such as `tor`, `nglite`, `proxychains`, `chisel`, or custom daemons repeatedly initiate outbound sessions to multiple nodes before final destination. This behavior is abnormal for Linux services outside of VPN, monitoring, or CDN relay contexts.
Analyst context for executives and security teams
This analytic is about spotting Linux systems that repeatedly create outbound connections through multiple intermediate nodes, a pattern associated with proxying or tunneling tools such as tor, nglite, proxychains, chisel, or custom daemons. For leaders, the value is not the tool names alone; it is whether the organization can distinguish approved relay, VPN, monitoring, or CDN behavior from unexpected multi-hop outbound activity that may complicate investigation and control of data flows.
Executive priority
Prioritize this as an egress visibility and Linux monitoring validation item. It matters for incident decision-making because unexplained multi-hop outbound sessions can obscure destination intent and delay containment. Security leaders should ask whether Linux server outbound traffic is baselined, whether approved relay use cases are documented, and whether SOC teams can quickly separate sanctioned infrastructure from abnormal services.
Technical view
Validate on Linux endpoints and network telemetry for repeated outbound sessions from the same host or service to multiple nodes before a final destination. Because ATT&CK supplies no tactic or detection logic for this analytic, teams should treat it as a detection-engineering hypothesis: baseline known VPN, monitoring, and CDN relay contexts first, then alert on Linux services showing unusual fan-out, repeated session initiation, or proxy/tunnel process names where process telemetry is available.
Likely telemetry
- Linux process execution telemetry, including command line where collected
- Network connection logs from Linux hosts
- Firewall, proxy, or egress gateway logs
- DNS query logs associated with outbound session destinations
- Service inventory or allowlists for approved VPN, monitoring, and CDN relay functions
Detection direction
- Confirm whether Linux endpoint and network logs can link outbound connections to host, service, and process context.
- Build or tune baselines for approved VPN, monitoring, and CDN relay systems to reduce predictable false positives.
- Review repeated outbound connections to multiple external nodes from Linux services that are not expected to operate as relays.
- Use tool names from the description as supporting context, not as the only detection method, because custom daemons may not match known names.
- Document blind spots where network address translation, missing endpoint telemetry, or encrypted traffic prevents process-to-connection attribution.
Mitigation priorities
- Define and maintain approved outbound relay, VPN, monitoring, and CDN use cases for Linux systems.
- Restrict unnecessary outbound connectivity from Linux servers using egress control policies appropriate to the environment.
- Ensure Linux endpoint logging and network egress logging are retained and accessible for SOC and incident response workflows.
- Review unmanaged or undocumented Linux services that initiate recurring outbound sessions.
- Use findings to improve asset ownership, service inventory, and incident response triage procedures rather than assuming all multi-hop behavior is malicious.
Analyst notes and limits
The official ATT&CK object is a detection analytic for Linux and describes abnormal repeated outbound sessions through multiple nodes, with examples of tools that may produce that behavior. No ATT&CK tactics, relationships, or formal detection pseudocode were supplied, so this take frames the object as a coverage validation and tuning opportunity rather than a complete detection rule.
This assessment is limited to the supplied STIX fields, external reference, and absence of relationships. It does not establish active exploitation, adversary attribution, impact, or guaranteed detection. Local baselines are required because legitimate VPN, monitoring, and CDN relay contexts may produce similar patterns.
Analytic 1021
Tools such as `tor`, `nglite`, `proxychains`, `chisel`, or custom daemons repeatedly initiate outbound sessions to multiple nodes before final destination. This behavior is abnormal for Linux services outside of VPN, monitoring, or CDN relay contexts.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0415db3fee0e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1021Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.