AN1067: Analytic 1067
Identifies transfer of base64, uuencoded, or high-entropy files over HTTP, FTP, or custom protocols in lateral movement or exfiltration streams.
Analyst context for executives and security teams
This analytic matters because encoded or unusually high-entropy file transfers can hide data movement across the network, including lateral movement or exfiltration over HTTP, FTP, or custom protocols. For leaders, the practical question is whether network monitoring can see and retain enough evidence to distinguish legitimate compressed or encoded traffic from suspicious file movement before an incident becomes a business-continuity or data-loss problem.
Executive priority
Prioritize validation of network visibility and response playbooks for unusual file-transfer behavior, especially where critical systems, regulated data, or network devices are involved. This is relevant to incident decision-making, compliance evidence, and SOC readiness because the ATT&CK object provides a detection concept but no built-in detection logic; organizations must prove locally that telemetry, inspection depth, retention, and escalation paths are sufficient.
Technical view
SOC and detection teams should treat AN1067 as a network-device-focused analytic concept: identify transfers of base64, uuencoded, or high-entropy files over HTTP, FTP, or custom protocols. Validation should focus on whether network sensors, proxy logs, flow data, and file-inspection capabilities can observe payload characteristics or file-transfer metadata. Because no official detection logic or tactic mapping is supplied, teams should tune detections against local baselines for legitimate encoded, compressed, encrypted, backup, software-distribution, and administrative transfer activity.
Likely telemetry
- Network device logs and alerts
- Proxy or secure web gateway logs for HTTP transfers
- FTP server/client logs where available
- Network flow metadata showing source, destination, protocol, volume, and timing
- File inspection or content-scanning telemetry capable of identifying base64, uuencoding, or high entropy
Detection direction
- Validate that monitored network paths include east-west traffic as well as outbound traffic; lateral movement streams may be missed if only perimeter monitoring exists.
- Test whether tools can identify encoded or high-entropy file content, not only protocol names or ports.
- Tune for context: high entropy can be normal for compressed archives, encrypted files, media, software packages, and backups.
- Correlate suspicious transfers with source asset role, destination reputation or zone, user/service account context, transfer volume, and unusual timing.
- Review custom or non-standard protocol visibility, since the analytic explicitly includes custom protocols and those are common blind spots.
Mitigation priorities
- Start with visibility: confirm network logging, flow collection, and file-inspection coverage on relevant network segments and network devices.
- Reduce unnecessary transfer paths by tightening allowed protocols, destinations, and administrative channels based on business need.
- Apply segmentation and egress controls where appropriate so unusual lateral or outbound file movement is harder to complete unnoticed.
- Create investigation playbooks for encoded or high-entropy transfers, including triage of source host, destination, account context, and data sensitivity.
- Maintain audit evidence showing what traffic is monitored, what is excluded, and how alerts are reviewed and escalated.
Analyst notes and limits
AN1067 is best used as a coverage and validation prompt rather than a ready-to-run rule. Its value is in forcing a conversation between SOC, network, cloud/security architecture, and risk owners about whether encoded or high-entropy transfer behavior is visible across important paths.
The supplied ATT&CK fields include no official detection logic, no tactics, and no relationships to techniques, software, groups, or mitigations. This take therefore does not infer attribution, active exploitation, impact, or guaranteed detection coverage. Local network architecture, logging depth, privacy constraints, and normal transfer patterns are required to operationalize it.
Analytic 1067
Identifies transfer of base64, uuencoded, or high-entropy files over HTTP, FTP, or custom protocols in lateral movement or exfiltration streams.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0261bf4b79d8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1067Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.