AN1483: Analytic 1483
Processes such as plink.exe, ssh.exe, or netsh.exe establishing outbound network connections where traffic patterns show encapsulated protocols (e.g., RDP over SSH). Defender observations include anomalous process-to-network relationships, large asymmetric data flows, and port usage mismatches.
Analyst context for executives and security teams
This analytic matters because it focuses on Windows processes making outbound connections that may carry one protocol inside another, such as remote desktop traffic tunneled over SSH. For leaders, the decision value is whether the organization can see and explain unusual process-to-network behavior before it becomes an incident-response blind spot.
Executive priority
Prioritize validation where outbound connectivity, remote administration, and data movement intersect. Security leaders should ask whether SOC teams can distinguish approved tunneling or administrative use from unexpected use of tools such as plink.exe, ssh.exe, or netsh.exe, and whether evidence is retained well enough to support incident decisions, audit questions, and containment planning.
Technical view
For Windows environments, validate visibility into process-to-network relationships involving plink.exe, ssh.exe, netsh.exe, and similar binaries. The supplied ATT&CK description points to three useful detection anchors: anomalous process-to-network pairings, large asymmetric data flows, and port/protocol mismatches. Because no ATT&CK detection logic or tactic mapping is supplied, teams should treat this as an analytic validation target rather than a ready-to-deploy rule.
Likely telemetry
- Windows process execution telemetry with image name, command line, parent process, user, host, and timestamp
- Network connection telemetry mapped to initiating process where available
- Outbound flow records showing destination IP, port, protocol, byte counts, and session duration
- Proxy, firewall, or egress control logs for unusual destination/port combinations
- Remote administration and approved tunneling inventory for comparison against observed activity
Detection direction
- Baseline legitimate use of plink.exe, ssh.exe, netsh.exe, and comparable tools before alerting broadly.
- Correlate process execution with outbound connections and flow size asymmetry rather than relying only on process name.
- Review port usage mismatches, such as traffic patterns inconsistent with the expected protocol for the destination port.
- Tune for known administrative tooling, jump hosts, developer workflows, and sanctioned remote access to reduce false positives.
- Identify blind spots where network sensors cannot map connections back to processes or where encrypted traffic prevents protocol inference.
Mitigation priorities
- Establish or update policy for approved tunneling, remote administration, and outbound SSH-like connectivity.
- Limit unnecessary outbound access from Windows endpoints and servers using egress controls appropriate to business need.
- Maintain an inventory of authorized remote access tools and expected destinations.
- Improve endpoint and network telemetry correlation so incident responders can link a process, user, host, and external connection quickly.
- Use findings from validation to support compliance evidence around monitoring, egress control, and incident response readiness.
Analyst notes and limits
The object is a detection analytic in the enterprise ATT&CK domain for Windows. It describes observable behavior around outbound connections and encapsulated protocols but does not include official detection logic, tactic mapping, labels, aliases, or relationship context.
Assessment is limited to the supplied ATT&CK fields and external reference. No active exploitation, threat actor attribution, impact level, or coverage guarantee is implied. Local baselines, approved tool usage, and available endpoint/network telemetry are required to determine practical detection value.
Analytic 1483
Processes such as plink.exe, ssh.exe, or netsh.exe establishing outbound network connections where traffic patterns show encapsulated protocols (e.g., RDP over SSH). Defender observations include anomalous process-to-network relationships, large asymmetric data flows, and port usage mismatches.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 701e36e1055c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1483Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.