AN1189: Analytic 1189
Detects unusual outbound connections to web services from uncommon processes using SSL/TLS, particularly those exhibiting high outbound data volume or persistence.
Analyst context for executives and security teams
This analytic matters because unusual encrypted outbound web connections from uncommon Windows processes can be an early sign that a workstation or server is communicating in a way normal business software does not. For leaders, the value is not just detecting “TLS traffic,” but knowing whether the SOC can distinguish expected browser, updater, and business-app traffic from suspicious high-volume or persistent outbound connections.
Executive priority
Prioritize this as an egress visibility and incident-readiness question: do Windows endpoints and network controls provide enough evidence to explain which process made an outbound SSL/TLS connection, where it went, how much data moved, and whether the behavior persisted? This supports business continuity, audit evidence, and faster incident decisions when encrypted outbound traffic may hide misuse or data movement.
Technical view
Validate coverage on Windows for process-to-network correlation. The analytic is focused on uncommon processes making outbound SSL/TLS connections to web services, especially when paired with high outbound data volume or persistence. SOC teams should baseline common process behavior, define what “uncommon” means locally, and tune for legitimate services, software updaters, management agents, and enterprise applications that may otherwise create noise. No ATT&CK tactic or relationship context was supplied, so detection engineering should avoid assuming a specific kill-chain stage without local evidence.
Likely telemetry
- Windows endpoint process creation and process lineage telemetry
- Endpoint network connection telemetry with destination, port, protocol, and process attribution
- Network flow or proxy logs showing outbound SSL/TLS web service connections
- TLS metadata where available, such as SNI, certificate details, or JA3/JA4-style fingerprints if collected
- Outbound data volume and session duration metrics
Detection direction
- Confirm that network events can be reliably tied back to the originating Windows process, not just the host IP.
- Baseline normal outbound SSL/TLS behavior by process, host role, user population, and business application.
- Prioritize alerts where uncommon processes show high outbound volume, repeated connections, unusual destinations, or long-lived/persistent sessions.
- Tune expected noise from browsers, approved collaboration tools, software update mechanisms, endpoint agents, and administrative tools.
- Review blind spots where encrypted traffic bypasses proxy inspection, endpoint telemetry is missing, or NAT/VPN architecture obscures source attribution.
Mitigation priorities
- Improve egress visibility before relying on the analytic: endpoint telemetry, proxy or network flow logging, and retention should support process-level investigation.
- Restrict unnecessary outbound web access from servers and sensitive Windows systems where business requirements allow.
- Maintain application allowlists or expected-process baselines for high-value systems to make uncommon process behavior easier to identify.
- Ensure incident response playbooks include rapid validation of process lineage, destination reputation/context, data volume, and persistence indicators.
- Use findings to inform control gaps in endpoint monitoring, egress filtering, proxy coverage, and compliance evidence collection.
Analyst notes and limits
This is a detection analytic object, not a technique description. The supplied ATT&CK fields identify Windows as the platform and describe detection of unusual outbound SSL/TLS web-service connections from uncommon processes with emphasis on high outbound data volume or persistence. No relationship context, tactic mapping, aliases, or official detection logic were supplied.
The object does not provide a concrete detection query, thresholds, data sources, tactics, related techniques, or known adversary usage. Local baselining is required to define uncommon processes, normal outbound volume, and persistence patterns. Detection quality depends heavily on endpoint-to-network correlation and visibility into encrypted outbound traffic metadata.
Analytic 1189
Detects unusual outbound connections to web services from uncommon processes using SSL/TLS, particularly those exhibiting high outbound data volume or persistence.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9306cd2ed535… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1189Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.