AN1413: Analytic 1413
Detects non-browser processes that establish encrypted outbound connections (e.g., TLS/SSL) to unfamiliar or atypical destinations for the host/user, following a data staging or compression event.
Analyst context for executives and security teams
This analytic is about spotting a common exfiltration pattern on Windows: a non-browser process creates an encrypted outbound connection to a destination that is unusual for that host or user after data has been staged or compressed. For leaders, the value is not simply “find TLS traffic,” but validating whether the organization can connect endpoint behavior, file staging activity, and network egress context quickly enough to support incident decisions.
Executive priority
Prioritize this as a control-validation and response-readiness question: can the SOC distinguish normal encrypted business traffic from suspicious encrypted outbound activity by unusual processes, destinations, and recent data-preparation events? This matters for business continuity, breach containment, audit evidence, and incident response because encrypted outbound traffic can hide data movement unless endpoint and network telemetry are correlated.
Technical view
For Windows environments, validate whether detections can correlate three evidence points: non-browser process network connections, encrypted outbound sessions such as TLS/SSL, and preceding data staging or compression activity. Because no ATT&CK detection logic is provided, teams should treat AN1413 as an analytic design requirement rather than a ready-to-run rule. Baselines are important: “unfamiliar or atypical” destinations require host/user history, expected application behavior, and allowlisted business services.
Likely telemetry
- Windows process creation and process lineage telemetry
- Endpoint network connection telemetry showing initiating process, destination, port, and protocol where available
- TLS/SSL or encrypted outbound session metadata
- DNS and proxy logs for destination context
- File creation, archive/compression, or data staging activity on Windows hosts
Detection direction
- Validate visibility into which process initiates outbound encrypted connections, not only destination IP or domain.
- Tune for non-browser processes connecting to unfamiliar or atypical destinations after recent staging or compression events.
- Build baselines by host and user to reduce false positives from legitimate updaters, backup tools, synchronization clients, developer tools, and enterprise agents.
- Correlate endpoint and network logs; either source alone may miss the sequence described by the analytic.
- Review blind spots where TLS inspection is unavailable, endpoint network telemetry is not collected, or destination reputation/context is weak.
Mitigation priorities
- Ensure Windows endpoint logging captures process creation, process lineage, file/archive activity, and process-level network connections where feasible.
- Maintain network egress logging through DNS, proxy, firewall, or equivalent telemetry sources.
- Define normal encrypted outbound destinations for high-risk hosts and users, especially systems handling sensitive data.
- Apply egress control and allowlisting principles where operationally practical, with documented exceptions for business services.
- Use incident response playbooks that preserve endpoint artifacts and network evidence when suspicious encrypted outbound activity follows staging or compression.
Analyst notes and limits
AN1413 is a detection analytic associated with ATT&CK detection strategy DET0512 and applies to Windows. The supplied object does not include tactics, related techniques, relationships, or official detection logic, so this take frames the analytic as a defensive validation pattern rather than a specific rule.
This assessment is limited to the supplied STIX fields, external reference, and lack of relationship context. It does not establish active exploitation, attribution, confirmed coverage, specific tooling, or applicability beyond Windows. Local baselines and telemetry quality are required to determine practical detection value.
Analytic 1413
Detects non-browser processes that establish encrypted outbound connections (e.g., TLS/SSL) to unfamiliar or atypical destinations for the host/user, following a data staging or compression event.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d7027022ce24… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1413Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.