AN1600: Analytic 1600
Curl, wget, or custom HTTP clients initiated by uncommon user accounts or cron jobs to popular web services, with no observed response parsing logic.
Analyst context for executives and security teams
This analytic is about spotting Linux systems where curl, wget, or custom HTTP clients are launched by unusual user accounts or cron jobs to contact popular web services, without signs that the response is being parsed. For leaders, the value is not the tool name; curl and wget are normal administration utilities. The decision value is whether the organization can distinguish routine automation from suspicious outbound HTTP activity running under unexpected identities or schedules.
Executive priority
Prioritize this as a Linux monitoring and operational resilience question: do SOC and IR teams have enough process, user, cron, and network visibility to explain outbound HTTP activity from servers and service accounts? This can support incident triage, audit evidence for monitoring coverage, and control decisions around least privilege and scheduled job governance. Because ATT&CK provides no tactic, relationship context, or official detection text for this analytic, it should be treated as a validation prompt rather than a complete detection strategy.
Technical view
Validate whether Linux telemetry can correlate process execution for curl, wget, or custom HTTP clients with the executing user account, parent process, cron context, destination service, and observable handling of responses. Detection engineering should focus on uncommon user accounts, unexpected cron-originated executions, and outbound connections to popular web services where command lines or surrounding activity do not show normal response parsing logic. Tune carefully because legitimate package retrieval, monitoring checks, backups, webhooks, and administrative scripts may look similar.
Likely telemetry
- Linux process execution events including command line, parent process, user, and working directory
- Cron or scheduled job definitions and execution logs
- Outbound network connection logs or proxy/DNS records showing HTTP/S destinations
- Authentication or account inventory context to identify uncommon user accounts
- Script or shell execution context around the HTTP client invocation
Detection direction
- Baseline expected curl, wget, and HTTP client usage by host role, user account, and scheduled job.
- Alert on executions from uncommon users or cron jobs when the destination and command context are not tied to known automation.
- Correlate process telemetry with network, DNS, and proxy evidence rather than relying on command names alone.
- Review false positives from administrative scripts, health checks, software updates, deployment tooling, and monitoring integrations.
- Document blind spots where command-line logging, cron visibility, proxy logging, or account ownership data is incomplete.
Mitigation priorities
- Establish ownership and review processes for Linux cron jobs and service-account automation.
- Apply least privilege to service accounts and remove unused or unexplained scheduled jobs.
- Improve logging for Linux process execution, cron activity, and outbound web traffic where gaps exist.
- Use egress governance and proxy/DNS visibility to make unexpected outbound HTTP activity reviewable.
- Maintain allowlists for approved automation, but require periodic validation so stale jobs do not become blind spots.
Analyst notes and limits
The supplied object is a detection analytic for Linux only. It describes a behavioral pattern involving curl, wget, or custom HTTP clients used by uncommon accounts or cron jobs against popular web services, with no observed response parsing logic. No tactics, relationships, aliases, labels, or official detection procedure were supplied, so this take emphasizes validation and coverage assessment rather than a definitive analytic implementation.
This assessment is limited to the provided ATT&CK fields and external reference. It does not establish adversary use, impact, attribution, prevalence, or guaranteed detectability. Local baselines, account ownership records, scheduled job inventories, and telemetry quality are required to determine whether this behavior is suspicious in a given environment.
Analytic 1600
Curl, wget, or custom HTTP clients initiated by uncommon user accounts or cron jobs to popular web services, with no observed response parsing logic.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b8bbb937edf3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1600Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.