AN1173: Analytic 1173
Detects internal hosts generating large outbound FTP/TFTP/SMB sessions to external IPs, or file transfers using non-standard ports and application mismatches (e.g., FTP over port 80).
Analyst context for executives and security teams
This analytic matters because large outbound file-transfer sessions from internal hosts to external IPs can be a business-relevant warning sign: sensitive data, operational files, or system artifacts may be leaving the environment over protocols that are often allowed or overlooked. The added focus on non-standard ports and application mismatches, such as FTP-like traffic over port 80, helps leaders ask whether network monitoring can see beyond port numbers and identify suspicious transfer behavior on network devices.
Executive priority
Prioritize this as a validation point for data-loss readiness, SOC visibility, and incident response triage. Executives and security leaders should ask whether the organization can identify unusually large outbound FTP, TFTP, or SMB sessions to external destinations, whether exceptions are documented for legitimate business transfers, and whether audit evidence exists showing that network egress monitoring is active and reviewed. This is especially relevant where business continuity depends on protecting sensitive files, regulated data, operational configurations, or partner-facing transfer workflows.
Technical view
For SOC and detection teams, validate that network-device telemetry can identify internal source hosts, external destination IPs, protocol/application classification, ports, session size, and directionality. The analytic is centered on outbound FTP, TFTP, and SMB sessions, large transfer volume, and mismatches between observed application behavior and expected port usage. Because no ATT&CK tactic or related technique context was supplied, implementation should be treated as a network egress anomaly and protocol-mismatch detection rather than tied to a specific intrusion phase without local evidence.
Likely telemetry
- Network flow records showing source, destination, port, protocol, byte counts, and direction
- Firewall or secure gateway logs for outbound sessions to external IPs
- Network device application-identification logs where available
- IDS/IPS or network monitoring events identifying FTP, TFTP, or SMB behavior
- Proxy or egress control logs that can reveal port/application mismatches
Detection direction
- Baseline normal outbound file-transfer volumes and destinations before setting thresholds for 'large' sessions.
- Tune separately for FTP, TFTP, and SMB because legitimate use patterns and risk differ by environment.
- Validate that detections use application/protocol identification where possible, not only destination port.
- Review cases where file-transfer behavior appears on unexpected ports, such as FTP-like traffic over port 80.
- Suppress or document known approved transfer systems, backup paths, managed file-transfer services, and partner integrations to reduce false positives.
Mitigation priorities
- Establish and document approved outbound file-transfer paths, destinations, and protocols.
- Restrict unnecessary outbound FTP, TFTP, and SMB access to external IPs where business requirements do not justify it.
- Use egress filtering and policy controls to limit non-standard port use for file-transfer protocols.
- Maintain asset ownership and business-justification records for systems allowed to perform large external transfers.
- Ensure SOC runbooks include triage steps for confirming whether a transfer is approved, anomalous, or incident-relevant.
Analyst notes and limits
The supplied object is a detection analytic, not a full technique description. Its value is strongest as a control-validation and telemetry-readiness check for outbound file-transfer monitoring on network devices. Local baselines, approved transfer workflows, and asset context are required to distinguish legitimate business movement from suspicious activity.
No official detection logic, ATT&CK tactic, relationships, procedure examples, or mitigations were supplied. This take is therefore limited to the stated analytic description, platform of Network Devices, and the single MITRE external reference. It should not be interpreted as evidence of active exploitation, attribution, or guaranteed detection coverage.
Analytic 1173
Detects internal hosts generating large outbound FTP/TFTP/SMB sessions to external IPs, or file transfers using non-standard ports and application mismatches (e.g., FTP over port 80).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8ecf42bca9f6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1173Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.