AN1190: Analytic 1190
Detects command-line tools, agents, or scripts making outbound HTTPS connections to popular web services like Discord, Slack, Dropbox, or Graph API in an unusual context.
Analyst context for executives and security teams
AN1190 is a Linux-focused detection analytic for spotting command-line tools, agents, or scripts making outbound HTTPS connections to widely used web services such as Discord, Slack, Dropbox, or Microsoft Graph API in an unusual context. The business value is not that these services are inherently malicious; it is that trusted web services can blend into normal internet traffic, making unusual outbound activity from servers, automation hosts, or user systems important to validate during SOC monitoring and incident response.
Executive priority
Security leaders should treat this analytic as a coverage question for outbound traffic governance and SOC visibility on Linux systems. Key decisions include whether the organization can distinguish approved business integrations from unusual command-line or scripted HTTPS activity, whether egress monitoring is sufficient for incident response, and whether evidence exists to support audit or investigation needs when common cloud and collaboration services are involved.
Technical view
For SOC and detection engineering teams, validate whether Linux endpoint, process, command-line, and network telemetry can correlate outbound HTTPS destinations with the initiating process or script. Because ATT&CK provides no official detection logic and no relationship context, teams should define local baselines for expected use of Discord, Slack, Dropbox, Graph API, and similar services by host role, user context, process name, parent process, and execution path. The analytic should focus on unusual context rather than service name alone to avoid noisy detections from legitimate integrations.
Likely telemetry
- Linux process creation events with command-line arguments
- Parent-child process relationships for command-line tools, agents, and scripts
- Outbound HTTPS connection metadata from Linux hosts
- DNS or proxy logs resolving popular web service domains
- Network destination, SNI, URL, or HTTP CONNECT metadata where available
Detection direction
- Confirm that outbound HTTPS activity can be tied back to the initiating Linux process or script; network-only alerts may lack enough context.
- Baseline expected use of popular web services by server role, automation job, user, and approved business integration.
- Tune for unusual combinations such as uncommon command-line clients, unexpected parent processes, nonstandard execution paths, or activity from hosts that should not contact these services.
- Account for false positives from legitimate SaaS integrations, backup/sync tooling, developer workflows, monitoring agents, and automation scripts.
- Prioritize investigation when unusual web-service connections coincide with suspicious process lineage or unapproved tooling.
Mitigation priorities
- Inventory approved Linux systems, scripts, agents, and integrations that legitimately connect to collaboration, storage, or API services.
- Apply egress control and proxy policy where appropriate so unmanaged Linux systems cannot freely initiate outbound HTTPS to unnecessary services.
- Strengthen endpoint logging on Linux to capture process, command-line, parent process, user, and network connection context.
- Review service account and automation permissions used for legitimate web-service integrations.
- Use allowlists carefully, based on business-approved integrations and host roles rather than broad trust in popular service domains.
Analyst notes and limits
This object is a detection analytic, not a technique or procedure. Its value depends heavily on local baselining and telemetry quality. The supplied ATT&CK fields specify Linux platform coverage and a description of the analytic, but no official detection logic, tactics, linked techniques, or relationships were provided.
The source data does not include official detection pseudocode, data components, ATT&CK tactic mapping, related techniques, adversary use, or mitigation references. Any production rule, severity model, or assertion of maliciousness requires local environment evidence and approved-use context.
Analytic 1190
Detects command-line tools, agents, or scripts making outbound HTTPS connections to popular web services like Discord, Slack, Dropbox, or Graph API in an unusual context.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 47f58bcfe8dd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1190Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.