AN1141: Analytic 1141
Spoofed outbound packets sent to amplification services from command-line tools or scripts, combined with abnormal outbound packet volume on known reflector ports
Analyst context for executives and security teams
This analytic is about spotting Linux systems that may be sending spoofed outbound traffic toward amplification services, especially when command-line tools or scripts coincide with unusual outbound packet volume on known reflector ports. For leaders, the practical issue is not just malware detection; it is whether an internal host can be used as a launch point for disruptive network abuse, creating availability, reputation, service-provider, and incident-response consequences.
Executive priority
Prioritize this as an egress-control and monitoring validation item for Linux environments. Security leaders should ask whether the organization can prove which systems are allowed to generate high-volume outbound traffic, whether spoofed traffic is blocked before leaving the network, and whether SOC teams can rapidly tie abnormal outbound network behavior back to Linux process and script activity. This supports operational resilience, incident triage, and compliance evidence around network abuse prevention and monitoring.
Technical view
SOC and detection engineering teams should validate whether Linux host telemetry and network telemetry can be correlated around two conditions described by the analytic: command-line tools or scripts initiating activity, and abnormal outbound packet volume to known reflector or amplification-service ports. Because no official detection logic is supplied, teams should define local baselines for expected outbound packet volume, identify approved services that may legitimately use high-volume traffic, and test whether alerts preserve enough context to identify the source host, user, process, command line, destination ports, and egress path.
Likely telemetry
- Linux process creation and command-line telemetry
- Script execution telemetry from Linux systems
- Outbound network flow records from hosts, firewalls, routers, or network sensors
- Packet or session metadata showing source, destination, protocol, port, and packet volume
- Egress firewall or gateway logs
Detection direction
- Baseline normal outbound packet volume for Linux systems and alert on abnormal spikes to ports classified internally as reflector or amplification-service ports.
- Correlate network-volume anomalies with Linux command-line or script execution rather than relying on either signal alone.
- Tune exceptions for approved high-volume services, network testing systems, and administrative scripts to reduce false positives.
- Validate whether spoofed outbound packets would be visible in available telemetry or blocked before detection, since some environments may not preserve enough packet detail to confirm spoofing.
- Ensure alerts include source host, user context where available, process or script context, destination port, packet volume, and egress device path for incident response.
Mitigation priorities
- Enforce egress filtering so systems cannot send outbound traffic with unauthorized or spoofed source addressing.
- Restrict which Linux systems are allowed to generate unusual high-volume outbound traffic and document approved exceptions.
- Harden monitoring for command-line and script execution on Linux systems that have broad network access.
- Use network segmentation and firewall policy to limit unnecessary outbound access to amplification-service destinations or ports as defined by the organization.
- Maintain asset ownership and response runbooks so abnormal outbound traffic can be traced and contained quickly.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique description, and it provides a concise behavior statement without detailed detection pseudocode, tactics, mitigations, or relationships. The strongest use of this object is as a coverage-validation prompt: confirm that Linux host activity can be joined with outbound network-volume evidence and that egress controls reduce the chance of spoofed traffic leaving the environment.
Official detection content and relationship context were not supplied. Tactics are not specified. The object only lists Linux as the platform, so this take does not extend the analytic to other platforms. Local network architecture, approved services, reflector-port definitions, and available telemetry are required to implement or assess coverage.
Analytic 1141
Spoofed outbound packets sent to amplification services from command-line tools or scripts, combined with abnormal outbound packet volume on known reflector ports
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6ba012432169… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1141Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.