Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1057: Analytic 1057

Detects processes performing network enumeration (e.g., port scans, service probing) by correlating process creation, socket connections, and sequential destination IP probing within a time window.

EnterpriseAN1057AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because internal network enumeration is often the point where an incident shifts from a single compromised Windows host to broader enterprise risk. By correlating process creation, socket connections, and repeated destination probing, defenders can identify systems that may be mapping services or ports across the network. For leaders, the decision value is whether the SOC can see this behavior early enough to contain lateral movement risk before it affects business operations.

Executive priority

Prioritize validating this coverage where Windows endpoints have access to critical business segments, identity infrastructure, administrative networks, or sensitive workloads. The key executive question is not simply whether a tool has a rule, but whether endpoint process telemetry and network connection data are collected, retained, and correlated quickly enough to support containment decisions and audit evidence after an incident.

Technical view

For SOC, detection engineering, and IR teams, AN1057 describes a Windows-focused analytic that correlates process creation with socket connections and sequential destination IP probing over a time window. Teams should validate that they can link a process identity to outbound connection patterns and distinguish expected scanning or management activity from unusual enumeration. Because no ATT&CK tactic or relationship context is supplied, this should be treated as a behavior-level detection analytic rather than evidence of a specific campaign, actor, or technique chain.

Likely telemetry

  • Windows process creation events with command line, parent process, user, host, and timestamp context
  • Endpoint or host firewall network connection telemetry showing source process and destination IP/port
  • Socket connection records or EDR network events tied to process identifiers
  • Time-windowed connection summaries showing sequential destination IP probing or service probing patterns
  • Asset, user, and network segment context to separate authorized administration from suspicious enumeration

Detection direction

  • Validate correlation between process creation and network connections; network-only alerts may lack the process context needed for triage.
  • Tune for repeated or sequential destination IP probing within defined time windows, while accounting for legitimate vulnerability scanners, inventory tools, monitoring systems, and administrative scripts.
  • Require allowlisting or suppression governance for approved scanners so exceptions do not hide unexpected enumeration from ordinary Windows endpoints.
  • Prioritize alerts from workstations, user endpoints, or servers that do not normally perform scanning behavior, especially when probing crosses network segments.
  • Test whether telemetry latency and retention are sufficient for incident responders to reconstruct the enumerating process, user, host, and destination pattern.

Mitigation priorities

  • Confirm endpoint and network telemetry coverage first; this analytic depends on both process and socket or connection visibility.
  • Maintain an inventory of authorized scanning, monitoring, and administration sources to reduce false positives and make unauthorized enumeration stand out.
  • Apply network segmentation and least-privilege access so a single Windows host cannot freely enumerate unnecessary internal ranges.
  • Use incident response playbooks that treat unexpected enumeration as a containment decision point, including host isolation, credential review, and scoping of probed destinations when warranted.
  • Review logging and retention requirements as compliance evidence for detecting and investigating internal reconnaissance behavior.
Analyst notes and limits

The supplied object is a detection analytic, not a full ATT&CK technique entry. It provides a clear behavioral objective—detecting process-driven network enumeration on Windows—but does not include official detection logic, tactics, related techniques, procedures, or mitigations. Local baselines are essential because legitimate security and IT operations can create similar port scan or service probing patterns.

This take is limited to the official STIX fields, external reference, and the absence of relationship context supplied for AN1057. It does not assert active exploitation, threat actor use, specific ATT&CK tactics, non-Windows applicability, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Analytic 1057

Detects processes performing network enumeration (e.g., port scans, service probing) by correlating process creation, socket connections, and sequential destination IP probing within a time window.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
cd1e98e854e94a96...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle cd1e98e854e9…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1057
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use