AN1229: Analytic 1229
Suspicious process spawning (e.g., `rundll32`, `svchost`, `powershell`, or `netsh`) followed by network connection creation to internal hosts or uncommon external endpoints on high or non-standard ports.
Analyst context for executives and security teams
This analytic matters because it ties suspicious Windows process execution to outbound or internal network activity. For leaders, the practical question is whether the organization can see when commonly abused utilities such as rundll32, svchost, powershell, or netsh start and then connect to unusual internal systems or uncommon external destinations on high or non-standard ports. That visibility is often important for early incident triage and for proving that endpoint and network monitoring are connected enough to support response decisions.
Executive priority
Prioritize this as a Windows monitoring and response-readiness validation. It can help assess whether SOC teams have the evidence needed to connect process behavior with network connections, which is critical for business continuity during suspected compromise. Executives should ask whether endpoint telemetry, network telemetry, and alert triage workflows can answer: which process connected, from which host, to what destination, on what port, and whether that destination is expected for the business.
Technical view
Validate coverage for Windows process creation followed by network connection creation, especially involving rundll32, svchost, powershell, or netsh. Because ATT&CK does not provide a detection implementation or tactics for this analytic, teams should treat it as a detection design requirement rather than a ready rule. Focus on correlating parent/child process context, command line where available, destination host/IP, destination port, internal versus external routing, and whether the endpoint or port is rare for that host, user, or environment.
Likely telemetry
- Windows process creation events
- Process command-line and parent/child process context
- Endpoint network connection events
- Network flow or firewall logs showing source, destination, and port
- Asset context for internal hosts and expected services
Detection direction
- Confirm telemetry can correlate a specific Windows process to a specific network connection in close time proximity.
- Tune around legitimate administrative and system activity involving powershell, netsh, svchost, and rundll32 to reduce false positives.
- Baseline expected internal service ports and known administrative destinations before treating high or non-standard ports as suspicious.
- Review blind spots where endpoint network telemetry is missing, command-line capture is disabled, or network logs cannot map activity back to a host/process.
- Use this analytic as a hunting and triage pattern where official ATT&CK detection logic is not supplied.
Mitigation priorities
- Ensure Windows endpoint logging captures process creation and network connection evidence needed for investigation.
- Maintain asset and service inventories so defenders can distinguish expected internal connections from unusual lateral or administrative activity.
- Restrict and monitor administrative tool usage according to least privilege and approved operations.
- Improve SOC playbooks for investigating suspicious process-to-network correlations, including ownership checks for destination systems and business justification for unusual ports.
- Validate logging retention and audit evidence so incidents can be reconstructed after initial alerting.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for Windows describing suspicious process spawning followed by network connections to internal hosts or uncommon external endpoints on high or non-standard ports. No tactics, relationships, aliases, or official detection logic were supplied, so the strongest use is as a coverage and correlation requirement for SOC and incident response teams.
This take is limited to the official STIX fields and external reference provided. It does not establish attribution, active exploitation, specific ATT&CK tactics, or guaranteed detection efficacy. Local baselines, approved administration patterns, and telemetry quality are required to determine whether activity is suspicious in a given environment.
Analytic 1229
Suspicious process spawning (e.g., `rundll32`, `svchost`, `powershell`, or `netsh`) followed by network connection creation to internal hosts or uncommon external endpoints on high or non-standard ports.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6fd97a604f1a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1229Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.