AN1225: Analytic 1225
Detects suspicious usage of common application-layer protocols (e.g., HTTP, HTTPS, DNS, SMB) by abnormal processes, with high outbound byte counts or irregular ports, possibly indicating command and control or data exfiltration.
Analyst context for executives and security teams
This analytic matters because it focuses on a common business risk pattern: ordinary network protocols such as HTTP, HTTPS, DNS, and SMB being used by unusual Windows processes, especially with high outbound data volume or unexpected ports. For leaders, the decision value is whether the organization can distinguish normal application traffic from suspicious process-driven network activity that may indicate command-and-control or data movement.
Executive priority
Prioritize this as a validation point for SOC and incident response readiness on Windows endpoints. The key business question is not whether HTTP, HTTPS, DNS, or SMB are allowed, but whether security teams can prove which processes are using them, whether outbound volume is abnormal, and whether unusual ports are investigated quickly. This supports resilience, audit evidence for monitoring coverage, and better prioritization of network and endpoint telemetry investments.
Technical view
For Windows environments, validate that detections correlate process identity with application-layer protocol usage, destination port, directionality, and outbound byte volume. Because the official detection logic is not provided and no ATT&CK tactics or relationships are supplied, teams should treat this as a detection design requirement rather than a ready-to-run rule. SOC tuning should focus on abnormal processes using common protocols, high outbound byte counts, and protocol use on irregular ports, while accounting for legitimate updaters, backup tools, browsers, collaboration software, and administrative utilities.
Likely telemetry
- Windows endpoint process execution metadata
- Process-to-network connection telemetry
- Outbound byte counts or flow volume records
- Destination ports and protocol indicators for HTTP, HTTPS, DNS, and SMB
- Network flow, proxy, DNS, firewall, or EDR network events
Detection direction
- Confirm visibility that links Windows processes to outbound network connections; network-only logs may not identify the abnormal process responsible.
- Baseline normal protocol use by common business applications before alerting on high outbound byte counts.
- Tune for irregular ports associated with common application-layer protocols, but review legitimate exceptions such as proxies, VPN clients, management agents, and backup software.
- Use volume-based thresholds carefully; high outbound bytes can be benign in synchronization, patching, backup, or file-transfer workflows.
- Because no official detection query is supplied, document local assumptions, thresholds, and exclusions as part of detection engineering evidence.
Mitigation priorities
- Ensure EDR or equivalent endpoint telemetry captures process-to-network activity on Windows systems.
- Maintain network egress controls and logging for common protocols and unusual ports.
- Review and document approved applications and services that generate high outbound traffic.
- Use least-privilege and application control where appropriate to reduce unauthorized processes initiating network communications.
- Prepare incident response triage procedures for suspicious outbound process activity, including containment decision points and evidence preservation.
Analyst notes and limits
This take is based only on the supplied ATT&CK analytic fields. The object describes suspicious use of common application-layer protocols by abnormal processes with high outbound byte counts or irregular ports, possibly indicating command and control or data exfiltration. No official detection logic, tactics, aliases, labels, or relationship context were supplied.
Coverage depends on local Windows endpoint and network telemetry quality. The supplied object does not provide a specific detection query, ATT&CK technique relationships, thresholds, known adversary use, or active exploitation context, so implementation must be validated against the organization’s environment.
Analytic 1225
Detects suspicious usage of common application-layer protocols (e.g., HTTP, HTTPS, DNS, SMB) by abnormal processes, with high outbound byte counts or irregular ports, possibly indicating command and control or data exfiltration.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f9f830c09109… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1225Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.