AN1434: Analytic 1434
Executable or script generating large outbound network traffic targeting remote hosts or known amplification ports
Analyst context for executives and security teams
This analytic highlights a Windows executable or script producing unusually large outbound traffic to remote hosts or known amplification ports. For security leaders, the practical issue is whether the organization can quickly distinguish legitimate high-volume egress from behavior that may indicate abuse of internal systems, policy violations, or participation in disruptive network activity. The value is less about a single alert and more about proving that endpoint and network teams have enough visibility to explain abnormal outbound volume when business continuity or incident response decisions depend on it.
Executive priority
Prioritize this as an egress visibility and response-readiness question: can teams identify which Windows host, user context, process, script, destination, and port are responsible for large outbound traffic? This matters for operational resilience, SOC triage quality, audit evidence around monitoring, and incident containment decisions. Because ATT&CK provides no tactic, relationship context, or official detection logic for this analytic, leaders should treat it as a coverage validation item rather than a complete detection requirement.
Technical view
For SOC and detection engineering teams, validate monitoring for Windows processes or scripts that generate high outbound network volume, especially toward remote hosts or ports known locally to be associated with amplification-style traffic. Useful validation should correlate process execution, command/script context where available, host identity, user/session context, destination IPs, destination ports, byte counts, connection counts, and time windows. Since no official detection logic is supplied, thresholds and allowlists must be environment-specific and tuned against legitimate high-volume applications, software distribution, backup, monitoring, and administrative activity.
Likely telemetry
- Windows endpoint process execution telemetry
- Windows script execution telemetry where available
- Endpoint network connection telemetry with process attribution
- Network flow records showing outbound byte and connection volume
- Firewall, proxy, or egress gateway logs
Detection direction
- Build or validate analytics that identify Windows executables or scripts generating large outbound traffic over a defined time window.
- Correlate network volume with originating process or script; network-only alerts without process context may be difficult to triage.
- Tune thresholds by host role and business function to reduce false positives from backups, patching, telemetry agents, content delivery, and administrative tooling.
- Review traffic to locally defined known amplification ports, but avoid assuming maliciousness from port use alone.
- Confirm egress monitoring covers direct internet access as well as traffic routed through proxies, VPNs, or cloud egress points.
Mitigation priorities
- Establish baseline outbound traffic expectations for Windows endpoints and servers by role.
- Ensure endpoint and network telemetry can connect high-volume outbound traffic to a process, script, host, and user context.
- Apply least-privilege and application control principles where appropriate to reduce unauthorized executable or script activity.
- Review egress filtering and firewall policy so unnecessary outbound access to remote hosts and risky ports is limited.
- Define incident response playbooks for isolating or rate-limiting a Windows host that is generating unexplained high-volume outbound traffic.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique. It is scoped to Windows and describes high outbound traffic from an executable or script targeting remote hosts or known amplification ports. No tactics, relationships, aliases, labels, or official detection logic were supplied, so this take focuses on defensive validation and telemetry requirements rather than specific adversary behavior.
This assessment is limited to the official STIX fields and the single MITRE external reference provided. It does not establish active exploitation, attribution, impact, or existing customer detection coverage. Local baselines, asset roles, egress architecture, and telemetry availability are required to turn this analytic into reliable detection logic.
Analytic 1434
Executable or script generating large outbound network traffic targeting remote hosts or known amplification ports
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c6537e7e8859… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1434Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.