Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1511: Analytic 1511

Processes that normally do not initiate network communications suddenly making outbound HTTPS connections with high outbound-to-inbound data ratios. Defender view: correlation between process creation logs (e.g., Word, Excel, PowerShell) and subsequent anomalous network traffic volumes toward common web services (Dropbox, Google Drive, OneDrive).

EnterpriseAN1511AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it highlights a common business-risk pattern: desktop or scripting processes that normally should not move much data suddenly sending large amounts over HTTPS to common web services. For leaders, the value is not in blocking Dropbox, Google Drive, or OneDrive by default; it is in knowing whether the organization can notice unusual data movement from Windows endpoints before it becomes an incident-response or compliance problem.

Executive priority

Prioritize this as a validation question for endpoint, network, and data-movement visibility: can the SOC correlate Windows process activity with outbound HTTPS volume by destination service? If not, investigations involving suspected data loss, misuse of cloud storage, or unusual PowerShell/Office behavior may depend on incomplete evidence. This is also relevant to audit readiness because it tests whether monitoring can connect user/process context to network activity, rather than only logging domains or firewall events in isolation.

Technical view

The supplied ATT&CK analytic is Windows-focused and describes correlation between process creation logs, such as Word, Excel, or PowerShell, and later anomalous outbound HTTPS traffic with high outbound-to-inbound ratios toward common web services including Dropbox, Google Drive, and OneDrive. SOC and detection teams should validate whether process creation telemetry can be joined to network telemetry by host, user, process, time window, destination, and traffic volume. Because ATT&CK does not provide a formal detection body or tactic mapping for this object, local baselining is required to define which processes are expected to communicate externally and what volume ratios are unusual.

Likely telemetry

  • Windows process creation logs with process name, command line where available, user, host, parent process, and timestamp
  • Endpoint network connection telemetry linking outbound HTTPS activity to initiating process where available
  • Proxy, firewall, DNS, or secure web gateway logs showing destination services and traffic volume
  • Network flow records with bytes sent, bytes received, destination, protocol, and timing
  • Cloud/web-service access logs where available for Dropbox, Google Drive, OneDrive, or equivalent approved services

Detection direction

  • Validate correlation coverage between process creation and outbound HTTPS volume; network-only alerts may miss the process context that makes this analytic useful.
  • Baseline normal external communication patterns for Office applications, PowerShell, and other Windows processes before alerting on volume alone.
  • Tune for high outbound-to-inbound ratios and unusual destinations, while accounting for legitimate business workflows such as document sync, uploads, backups, and collaboration tools.
  • Review whether encrypted HTTPS traffic still provides enough metadata, such as destination, process, and byte counts, to support detection without relying on payload inspection.
  • Because no ATT&CK relationships or tactic mapping are supplied, avoid over-scoping this analytic to a specific adversary behavior without corroborating local evidence.

Mitigation priorities

  • Ensure Windows endpoint logging captures process creation and, where possible, process-linked network activity.
  • Maintain network, proxy, DNS, or flow telemetry with byte counts and sufficient retention for incident response.
  • Define approved cloud storage and collaboration services, then monitor unusual upload behavior by process, user, and host.
  • Use policy and access controls for cloud storage where business requirements support them, but pair controls with monitoring for exceptions and unmanaged paths.
  • Document detection assumptions and evidence sources so SOC, IR, compliance, and risk teams understand what this analytic can and cannot prove.
Analyst notes and limits

This object is a detection analytic, not a technique or procedure. It is strongest as a coverage-assessment prompt: can defenders connect Windows process behavior to anomalous outbound HTTPS volume toward common web services? The examples named by ATT&CK are Word, Excel, PowerShell, Dropbox, Google Drive, and OneDrive; broader service or process lists should be derived from the local environment.

Official detection logic is not provided, tactics are not specified, and no relationship context is supplied. The analytic does not by itself establish malicious intent, attribution, active exploitation, or impact. False positives are likely without local baselines for collaboration, sync, automation, and administrative activity.

Official MITRE ATT&CK definition

Analytic 1511

Processes that normally do not initiate network communications suddenly making outbound HTTPS connections with high outbound-to-inbound data ratios. Defender view: correlation between process creation logs (e.g., Word, Excel, PowerShell) and subsequent anomalous network traffic volumes toward common web services (Dropbox, Google Drive, OneDrive).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e95332aa9dd670f8...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e95332aa9dd6…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1511
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use