Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1376: Analytic 1376

Establishing network connections on uncommon ports or protocols following C2 disruption or blocking. Often executed by processes that typically exhibit no network activity.

EnterpriseAN1376AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it focuses on a common resilience problem in detection: when command-and-control traffic is disrupted or blocked, malicious activity may shift to unusual ports or protocols, sometimes from Windows processes that normally do not communicate on the network. For leaders, the value is not just spotting an odd connection; it is confirming whether the organization can recognize suspicious fallback behavior after a control action, outage, or blocking event.

Executive priority

Prioritize this as a validation point for SOC readiness and incident response playbooks. If teams block suspected C2 infrastructure but do not monitor for new outbound connections on uncommon ports or from unusual Windows processes, containment decisions may create a false sense of closure. Executives should ask whether network controls, endpoint telemetry, and SOC procedures can prove that blocked activity did not simply move elsewhere.

Technical view

For Windows environments, validate whether telemetry can correlate blocked or disrupted network activity with subsequent outbound connections using uncommon ports or protocols, especially from processes that typically have little or no network activity. Because no official detection logic is provided, teams should define local baselines for normal process-to-network behavior, expected ports, and protocol usage, then tune for deviations that occur after blocking or disruption events. Treat this as a behavior-driven analytic rather than a single indicator-based rule.

Likely telemetry

  • Windows endpoint process execution and process-to-network connection events
  • Network connection metadata including source process where available, destination, port, protocol, and timing
  • Firewall, proxy, EDR, or network security control logs showing blocked or disrupted connections
  • Asset and application baselines identifying which Windows processes normally initiate network traffic
  • Incident response timeline data linking containment actions to subsequent network behavior

Detection direction

  • Validate that endpoint and network telemetry can be joined by host, process, user context where available, destination, port, protocol, and time.
  • Baseline common versus uncommon ports and protocols by environment; avoid relying on generic port rarity alone.
  • Look for new or unusual network activity from processes that normally show no network behavior, especially shortly after blocking or disruption of suspected C2 traffic.
  • Tune false positives from legitimate software updates, administrative tools, security agents, and enterprise applications that may use nonstandard ports.
  • Because ATT&CK provides no official detection implementation for this analytic, test coverage with internal datasets and incident simulations rather than assuming vendor alerts cover it.

Mitigation priorities

  • Ensure egress filtering and network security controls are paired with monitoring for fallback or alternate outbound communication attempts.
  • Maintain process and network baselines for Windows systems that support rapid triage of unusual process-to-port behavior.
  • Document IR playbooks so containment actions include follow-up hunting for changed network paths, not only confirmation that the original connection is blocked.
  • Use allowlisting or controlled outbound access where operationally feasible, while accounting for business-critical applications that require nonstandard ports.
  • Preserve logs from endpoint, firewall, proxy, and network controls long enough to reconstruct before-and-after activity around disruption events.
Analyst notes and limits

This object is a detection analytic, not a technique or procedure. The supplied ATT&CK fields identify Windows as the platform and describe uncommon port or protocol use following C2 disruption or blocking, but tactics are not specified and no relationship context is supplied. The main decision value is coverage validation: can the SOC detect behavioral change after a block, and can IR teams prove whether containment held?

Official detection content is not provided, and no relationships, data sources, mitigations, groups, malware, campaigns, or procedures are supplied. Local baselines are required to define what counts as an uncommon port, uncommon protocol, or process that normally has no network activity. This summary does not imply active exploitation, attribution, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Analytic 1376

Establishing network connections on uncommon ports or protocols following C2 disruption or blocking. Often executed by processes that typically exhibit no network activity.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
00dd283d735fec05...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 00dd283d735f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1376
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use