AN1151: Analytic 1151
Inspect network telemetry for adversary attempts to blend malicious traffic with legitimate flows using VPNs, proxies, or geolocation spoofing. Defensive teams may observe anomalous tunnels, encrypted sessions to suspicious domains, or geo-mismatched IP activity.
Analyst context for executives and security teams
Analytic 1151 matters because it focuses on adversary traffic that tries to look ordinary by using VPNs, proxies, or geolocation spoofing. For security leaders, the practical issue is whether network monitoring can distinguish normal encrypted remote-access or proxy use from traffic patterns that do not fit the organization’s expected geography, tunnel behavior, or destination profile.
Executive priority
Prioritize this as a network visibility and resilience question: do teams have enough network-device telemetry to explain suspicious encrypted sessions, anomalous tunnels, and geo-mismatched IP activity during an incident? This analytic can support SOC readiness, incident triage, and compliance evidence for monitoring controls, but only if the organization has defined what legitimate VPN, proxy, and geographic access patterns look like.
Technical view
Validate coverage on Network Devices for telemetry that can show tunnels, encrypted sessions, destination domains, source and destination IPs, and geolocation context. Because no ATT&CK tactics, relationships, or official detection logic are supplied, teams should treat this as a detection strategy rather than a complete rule. Detection engineering should focus on deviations from known-good VPN/proxy infrastructure, unexpected encrypted sessions to suspicious domains, and IP geolocation mismatches that conflict with normal business patterns.
Likely telemetry
- Network device logs
- VPN and proxy logs where available from network infrastructure
- Flow records showing source, destination, ports, protocols, and session metadata
- DNS or domain destination evidence when visible in network telemetry
- TLS/encrypted session metadata where available
Detection direction
- Establish baselines for approved VPNs, proxies, common remote-access locations, and expected encrypted traffic patterns.
- Alert on anomalous tunnels or encrypted sessions that do not align with approved infrastructure or normal business destinations.
- Correlate geo-mismatched IP activity with identity, access, and remote-access context before escalation to reduce false positives from travel, roaming users, cloud egress, or legitimate third-party services.
- Tune detections around suspicious domains and unusual network paths, but avoid relying on geolocation alone because it can be noisy and context-dependent.
- Document visibility gaps where encrypted traffic, proxy chaining, NAT, or limited network-device logging prevents confident assessment.
Mitigation priorities
- Inventory and standardize approved VPN and proxy services so defenders know what legitimate blended traffic should look like.
- Ensure network devices produce retained, searchable telemetry for flows, tunnels, encrypted sessions, destinations, and relevant geolocation enrichment.
- Define exception handling for legitimate business travel, cloud egress, and third-party proxy use to support reliable triage.
- Use this analytic as input to SOC playbooks for suspicious network session investigation rather than as a standalone determination of malicious activity.
- Review monitoring evidence periodically for audit and incident response readiness.
Analyst notes and limits
This object is a detection analytic for the enterprise ATT&CK domain and is explicitly scoped to Network Devices. Its value is highest when paired with local baselines and enrichment that distinguish approved remote-access and proxy behavior from unusual network flows.
No official detection logic, tactics, labels, aliases, or relationship context were supplied. This take cannot infer affected techniques, adversary attribution, exploitation status, impact, or guaranteed detection coverage. Local network architecture and logging quality will determine practical usefulness.
Analytic 1151
Inspect network telemetry for adversary attempts to blend malicious traffic with legitimate flows using VPNs, proxies, or geolocation spoofing. Defensive teams may observe anomalous tunnels, encrypted sessions to suspicious domains, or geo-mismatched IP activity.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e5ecaa1be156… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1151Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.