AN1118: Analytic 1118
Recurring network exfiltration initiated by scheduled or script-based processes exhibiting time-based regularity and consistent external destinations.
Analyst context for executives and security teams
This analytic describes a Windows-focused signal for repeated outbound data movement where scheduled or script-based processes contact the same external destinations on a regular time pattern. For leaders, the value is not that this alone proves compromise, but that recurring, automated exfiltration behavior can indicate a persistence-backed data loss path that may bypass ad hoc monitoring if network and process context are not joined.
Executive priority
Prioritize this as a control-validation and readiness question: can the organization prove it can see scheduled or scripted Windows activity that repeatedly sends data to external destinations? This matters for incident decision-making, data loss response, audit evidence around monitoring, and business continuity because regular automated transfer patterns may continue until detected and contained. Since ATT&CK provides no detection logic or relationships for this object, local risk ranking should depend on the sensitivity of systems, permitted automation, and existing egress governance.
Technical view
For SOC, detection engineering, and IR teams, validate whether Windows process execution, scheduled task or script activity, and network connection telemetry can be correlated over time. The analytic concept is time-based regularity plus consistent external destination, initiated by scheduled or script-based processes. Build or review logic that baselines legitimate recurring transfers and highlights unusual combinations of process parentage, script hosts, task context, destination consistency, volume, timing, and host role. Treat alerts as investigative leads requiring confirmation of process legitimacy, task ownership, destination reputation or business purpose, and transferred data context.
Likely telemetry
- Windows process creation telemetry, including command line and parent-child process context
- Scheduled task execution or task configuration telemetry
- Script execution telemetry where available, such as PowerShell or other script-host activity
- Network connection logs from endpoints, proxies, firewalls, EDR, or network sensors
- Destination metadata such as external IP, domain, port, protocol, and recurrence over time
Detection direction
- Validate correlation across host process activity and outbound network events; either source alone may be insufficient.
- Look for regular timing patterns and repeated external destinations rather than one-off outbound connections.
- Tune for known business automation, backups, software updates, monitoring agents, and approved file-transfer jobs to reduce false positives.
- Pay attention to script hosts and scheduled processes that are newly created, rarely used on the host, or inconsistent with the system’s role.
- Confirm whether telemetry retention is long enough to identify recurrence; short retention can hide the time-based nature of the behavior.
Mitigation priorities
- Inventory and document approved scheduled and script-based outbound transfer jobs on Windows systems.
- Restrict who can create or modify scheduled/scripted automation on sensitive hosts and review those changes.
- Apply egress controls and destination allowlisting where operationally feasible, especially for systems handling sensitive data.
- Ensure endpoint and network logging are enabled and retained long enough to observe regularity.
- Create IR playbooks for validating recurring outbound transfer alerts, including task review, process lineage, destination validation, and data sensitivity assessment.
Analyst notes and limits
This object is a detection analytic, not a technique or procedure. Its strongest practical use is as a coverage test for whether teams can connect Windows automation telemetry with recurring outbound network behavior. The absence of relationship context means defenders should map it to their own environment, data flows, and approved automation before assigning severity.
Official detection content, tactics, aliases, labels, and relationships were not supplied. The object only specifies Windows as a platform and describes recurring network exfiltration initiated by scheduled or script-based processes. Conclusions about specific adversaries, active exploitation, impact, or guaranteed detection cannot be made from the supplied fields alone.
Analytic 1118
Recurring network exfiltration initiated by scheduled or script-based processes exhibiting time-based regularity and consistent external destinations.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 666384ec80ea… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1118Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.