AN1170: Analytic 1170
Detects usage of FTP, SCP, or TFTP by non-interactive shells or automation scripts transferring large data volumes to untrusted IPs.
Analyst context for executives and security teams
AN1170 is a Linux-focused detection analytic for spotting large outbound transfers over FTP, SCP, or TFTP when they are launched by non-interactive shells or automation scripts and sent to untrusted IP addresses. For leaders, the value is not the protocol list alone; it is whether the organization can distinguish approved automation from suspicious bulk movement before a data-loss or incident-response decision depends on it.
Executive priority
Prioritize this analytic where Linux systems run scheduled jobs, service accounts, data pipelines, backups, or administrative scripts. The business question is whether large automated transfers are governed, logged, and explainable. This supports incident triage, egress-control decisions, audit evidence for data handling, and validation that unmanaged scripts are not creating blind spots in security monitoring.
Technical view
Validate coverage on Linux for process execution and network activity involving ftp, scp, and tftp clients or equivalent scripted invocations. The key analytic dimensions are non-interactive execution context, automation or shell parentage, unusually large transfer volume, and destination trust status. Because no official detection logic is supplied, SOC teams should define local thresholds for “large data volumes,” maintain trusted destination lists, and test against known backup, deployment, and administrative workflows to reduce false positives.
Likely telemetry
- Linux process creation telemetry including command line, parent process, user, working directory, and TTY or session context
- EDR or auditd-style events showing non-interactive shell or automation execution
- Network flow records showing outbound destination IP, port, protocol, byte counts, and session timing
- Firewall, proxy, or network security logs for egress to untrusted or external IP addresses
- SSH/SCP-related logs where available, including user and source host context
Detection direction
- Define what counts as non-interactive execution in the local Linux environment, such as cron, systemd timers, CI/CD runners, service accounts, or shell scripts without a user TTY.
- Tune volume thresholds by host role; backup servers and data pipeline nodes may require different baselines than general-purpose Linux servers.
- Correlate process lineage with network byte counts and destination reputation or allowlist status rather than alerting on protocol use alone.
- Treat SCP carefully because it may be common for legitimate administration; require context such as unusual destination, new account, abnormal volume, or unexpected automation path.
- Review blind spots where only network telemetry exists without process context, or where encrypted SSH/SCP traffic hides file names and content.
Mitigation priorities
- Inventory and approve Linux automation that performs bulk external transfers.
- Restrict FTP and TFTP where not required, and apply controlled egress paths for approved transfer mechanisms.
- Use least-privilege service accounts and limit which scripts, hosts, and destinations can perform automated transfers.
- Maintain destination allowlists for trusted partners, backup targets, and administrative infrastructure.
- Ensure Linux process, scheduler, and network-flow logging is retained long enough to support incident response and compliance evidence.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique description, and it has no relationship context or mapped tactic in the provided fields. The practical emphasis should be validation of local Linux telemetry, destination trust modeling, and baselining of legitimate automated transfer activity.
Official detection logic is not provided, and the object only specifies Linux as the platform. Thresholds, trusted IP definitions, false-positive handling, and control effectiveness must be determined from the organization’s own environment and approved business workflows.
Analytic 1170
Detects usage of FTP, SCP, or TFTP by non-interactive shells or automation scripts transferring large data volumes to untrusted IPs.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f47f6967fc05… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1170Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.