AN1058: Analytic 1058
Detects use of network scanning utilities or scripts performing rapid connections to multiple services or hosts using auditd and netflow/pcap telemetry.
Analyst context for executives and security teams
Analytic 1058 is a Linux-focused detection analytic for identifying rapid connection activity consistent with network scanning utilities or scripts, using auditd plus network evidence such as NetFlow or packet capture. For leaders, the value is not simply finding scans; it is confirming whether the organization can see early reconnaissance-like behavior inside Linux environments before it becomes a broader incident investigation or operational disruption.
Executive priority
Prioritize this analytic where Linux systems support critical services, segmented environments, or regulated workloads. The business decision is whether SOC and incident response teams have enough host and network telemetry to distinguish authorized discovery, vulnerability management activity, and administrative testing from suspicious rapid connections across multiple hosts or services. This also supports audit and resilience discussions because it tests whether network visibility and Linux audit collection are actually usable during an investigation.
Technical view
Validate coverage on Linux systems with auditd and NetFlow/pcap telemetry, as specified by the ATT&CK object. Detection engineering should focus on rapid connection patterns to multiple services or hosts and correlate host-side process or audit evidence with network flow or packet evidence. Because no official detection logic is supplied, teams should define local thresholds, approved scanner inventories, expected maintenance windows, and normal administrative behavior before treating alerts as high confidence.
Likely telemetry
- Linux auditd records
- Network flow telemetry such as NetFlow
- Packet capture metadata or packet capture evidence
- Connection attempts across multiple hosts
- Connection attempts across multiple services
Detection direction
- Confirm auditd is deployed and collecting relevant Linux activity on systems in scope.
- Confirm NetFlow or pcap visibility covers the network paths where Linux scanning activity would occur.
- Tune for rapid connections to multiple services or hosts rather than single connection events.
- Build allowlists or context for approved vulnerability scanners, monitoring tools, and administrative scripts to reduce false positives.
- Correlate host audit evidence with network telemetry to improve confidence and support incident triage.
Mitigation priorities
- Establish an inventory of authorized scanning utilities, scripts, and vulnerability management systems.
- Ensure Linux auditd and network telemetry collection are enabled where this behavior matters operationally.
- Use segmentation and access controls to limit unnecessary host-to-host and service-to-service reachability.
- Define SOC triage procedures for distinguishing approved scanning from unexpected rapid connection behavior.
- Maintain evidence of telemetry coverage and tuning decisions for compliance and incident readiness.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique or adversary behavior entry. It specifies Linux, auditd, and NetFlow/pcap-based detection of rapid connections to multiple services or hosts, but it does not provide tactics, relationships, or concrete detection logic. Glexia teams should treat this as a coverage-validation prompt: can the environment observe, tune, and investigate this pattern with existing Linux and network telemetry?
No official detection query, tactics, related techniques, procedures, mitigations, or relationship context were supplied. This take does not assert exploitation, attribution, impact, or guaranteed detection. Local asset criticality, approved scanning activity, telemetry completeness, and network architecture are required to determine priority and alert severity.
Analytic 1058
Detects use of network scanning utilities or scripts performing rapid connections to multiple services or hosts using auditd and netflow/pcap telemetry.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | aa4c58f0c3ed… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1058Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.