AN1512: Analytic 1512
Processes (tar, curl, python scripts) accessing large file sets and initiating outbound HTTPS POST requests with payload sizes inconsistent with baseline activity. Defender perspective: detect abnormal sequence of file archival followed by encrypted uploads to external web services.
Analyst context for executives and security teams
This analytic matters because it focuses on a business-critical pattern: large-scale file collection or archiving followed by encrypted outbound upload from Linux systems. For leaders, the decision value is not the specific tools named, but whether the organization can prove it would notice unusual bulk data movement before it becomes an incident-response, legal, or continuity problem.
Executive priority
Prioritize this where Linux systems store sensitive data, operational data, source code, backups, or regulated records. Executives should ask whether SOC teams have enough endpoint, file-access, and network telemetry to distinguish normal administrative transfers from unusual archival plus HTTPS POST activity. This can support incident decision-making, data protection assurance, and audit evidence around monitoring of potential unauthorized data movement.
Technical view
Validate whether Linux telemetry can correlate process behavior such as tar, curl, or python scripts accessing large file sets with subsequent outbound HTTPS POST requests whose payload sizes deviate from local baselines. Because no ATT&CK tactic or relationship context is supplied, treat this as a behavior-focused detection analytic rather than a complete technique mapping. Detection engineering should emphasize sequencing, volume, destination context, and baseline comparison, not tool names alone.
Likely telemetry
- Linux process execution telemetry, including command line where available
- File access or file enumeration telemetry showing large file-set access or archival activity
- Network connection metadata for outbound HTTPS sessions
- HTTP method and request-size metadata where available, especially POST payload size
- Destination domain, IP, reputation, and external web service context
Detection direction
- Correlate archival or scripted file access with outbound HTTPS POST activity within a defensible time window.
- Baseline normal payload sizes and transfer destinations per host role, user, and application to reduce false positives.
- Tune for legitimate backup, software deployment, data engineering, and administrative workflows that may use tar, curl, or python at scale.
- Do not rely only on process names; renamed binaries, custom scripts, or other archiving/upload utilities may create similar behavior.
- Assess visibility gaps caused by encrypted HTTPS content, limited endpoint logging, missing command-line capture, or lack of HTTP metadata.
Mitigation priorities
- Inventory Linux systems that hold sensitive or operationally important data and confirm monitoring coverage first.
- Establish baselines for normal archive creation and outbound upload behavior on those systems.
- Restrict and review outbound web access from servers where broad external HTTPS POST activity is not operationally required.
- Apply least-privilege access to sensitive file repositories so bulk access is harder to perform unnoticed.
- Ensure incident response playbooks cover rapid validation of large outbound transfers, involved accounts, accessed file paths, and destination services.
Analyst notes and limits
The supplied object is a detection analytic for Linux with a concise behavioral description and no separate official detection text. The strongest use is as a validation prompt: can the SOC correlate large file access or archival with abnormal encrypted upload behavior? Local baselines are essential because legitimate administrative and automation activity can look similar.
No tactics, relationships, procedure examples, adversary attribution, or active exploitation claims were supplied. The object names example processes but does not define complete detection logic, thresholds, time windows, data sources, or supported products. Environment-specific telemetry and business context are required before judging coverage or severity.
Analytic 1512
Processes (tar, curl, python scripts) accessing large file sets and initiating outbound HTTPS POST requests with payload sizes inconsistent with baseline activity. Defender perspective: detect abnormal sequence of file archival followed by encrypted uploads to external web services.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 696cff08ae2b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1512Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.