AN1169: Analytic 1169
Detects FTP, SMB, or TFTP traffic initiated by suspicious processes like PowerShell, cmd.exe, or rundll32.exe—especially with large outbound file transfers or unbalanced traffic volume.
Analyst context for executives and security teams
This analytic matters because it looks for a common business-risk pattern: built-in or commonly abused Windows processes initiating FTP, SMB, or TFTP transfers, especially when outbound volume is large or traffic is heavily one-sided. For leaders, the value is not just spotting a suspicious process name; it is validating whether the organization can see unusual file movement from Windows endpoints before it becomes an incident response, data handling, or continuity problem.
Executive priority
Prioritize this as a Windows network-and-endpoint visibility validation item. Security leaders should ask whether SOC teams can correlate process identity with network protocol activity and transfer volume for FTP, SMB, and TFTP. If that linkage is missing, investigations may depend on incomplete network logs or endpoint logs alone, weakening incident decisions, compliance evidence, and response confidence during suspected data movement events.
Technical view
For SOC and detection engineering teams, validate whether telemetry can identify PowerShell, cmd.exe, rundll32.exe, or similarly suspicious Windows processes initiating FTP, SMB, or TFTP traffic. The analytic description emphasizes large outbound file transfers and unbalanced traffic volume, so detection should combine process context, destination/protocol, byte counts, and directionality. Because ATT&CK provides no separate official detection logic and no tactic mapping for this analytic, teams should treat it as a detection strategy candidate that requires local baselining and tuning.
Likely telemetry
- Windows endpoint process creation telemetry with parent/child process context
- Endpoint network connection telemetry tied to initiating process
- Network protocol logs or flow records for FTP, SMB, and TFTP
- Outbound byte counts, inbound byte counts, and session volume metadata
- File transfer or proxy/security gateway logs where applicable
Detection direction
- Confirm that process-to-network correlation is available; network-only evidence may not show whether PowerShell, cmd.exe, or rundll32.exe initiated the traffic.
- Baseline legitimate administrative, backup, file-sharing, and software deployment activity to reduce false positives for SMB and scripted transfers.
- Tune for large outbound transfers and strongly asymmetric traffic rather than process name alone.
- Review coverage for TFTP and FTP, which may be less consistently logged than common web traffic in some environments.
- Because no relationship context or tactic mapping was supplied, map alerts to local incident categories based on observed destination, file movement, and host role.
Mitigation priorities
- First, ensure collection of endpoint process and network telemetry on Windows systems where sensitive data or administrative tooling is present.
- Restrict or monitor unnecessary FTP, SMB, and TFTP usage, especially outbound paths that are not required for business operations.
- Apply least-privilege and administrative control over scripting and command execution where operationally feasible.
- Document approved file-transfer patterns so SOC teams can distinguish expected business activity from suspicious process-driven transfers.
- Use incident response playbooks that preserve process, network, volume, and destination evidence when this analytic fires.
Analyst notes and limits
This object is a MITRE ATT&CK detection analytic, not a technique description. Its decision value is in validating whether defenders can connect Windows process behavior to file-transfer protocol activity and volume anomalies. The supplied object has no tactics, no relationships, and no official detection query, so local engineering is required.
Assessment is limited to the supplied official fields: Windows platform, the analytic description, and the MITRE external reference. No active exploitation, adversary attribution, affected organizations, specific ATT&CK technique relationships, or guaranteed detection coverage are implied.
Analytic 1169
Detects FTP, SMB, or TFTP traffic initiated by suspicious processes like PowerShell, cmd.exe, or rundll32.exe—especially with large outbound file transfers or unbalanced traffic volume.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | eca131a8b302… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1169Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.