Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1999: Analytic 1999

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

EnterpriseAN1999AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN1999 is a detection analytic focused on spotting network traffic that does not behave like the protocol it claims to use, or network flows from processes that normally should not communicate. For leaders, its value is in validating whether the organization can notice suspicious communications before they become a larger incident, especially where abnormal protocol structure, unexpected packet flows, or unusual process-to-network behavior may be early warning signs.

Executive priority

Prioritize this analytic as a coverage validation question: do security teams have enough network visibility and endpoint context to distinguish expected business traffic from unusual protocol behavior? The business decision value is strongest for SOC readiness, incident triage, and compliance evidence showing that network monitoring is not limited to volume or destination checks, but can also identify anomalous flow structure and unexpected communicating processes.

Technical view

ATT&CK describes monitoring traffic patterns and packet inspection for protocol behavior that does not follow expected standards or flows, including extraneous packets outside established flows, gratuitous or anomalous traffic, and anomalous syntax or structure. It also recommends correlating network observations with process monitoring and command-line activity, especially when files or processes that do not normally initiate connections begin communicating. Because no tactics, technique relationships, or official detection logic are supplied, teams should treat AN1999 as a detection strategy to validate rather than a complete rule.

Likely telemetry

  • Network traffic metadata and flow records
  • Packet inspection or protocol parsing data where available
  • Evidence of packets or traffic that do not belong to established flows
  • Endpoint process creation telemetry
  • Process-to-network connection telemetry

Detection direction

  • Validate that network monitoring can identify uncommon data flows and protocol syntax or structure anomalies, not only known-bad indicators.
  • Correlate anomalous traffic with endpoint process and command-line telemetry to determine whether the communicating process is expected for that protocol or environment.
  • Tune against known business services, scanners, monitoring tools, and unusual but approved applications that may generate nonstandard traffic patterns.
  • Look for blind spots where packet inspection is unavailable, flow data lacks process attribution, or endpoint telemetry cannot be joined to network events.
  • Use local baselines carefully: 'never seen before' or 'does not normally communicate' requires environment-specific history to avoid excessive false positives.

Mitigation priorities

  • Establish or improve collection of network flow, packet/protocol inspection, process creation, command-line, and process network-connection telemetry.
  • Define baselines for normal protocol behavior and expected process-to-network communication for key environments.
  • Create SOC triage workflows that join network anomalies to host context before escalation.
  • Document detection assumptions and visibility gaps for audit, compliance, and incident response readiness.
  • Review exceptions regularly so approved but unusual traffic does not mask genuinely anomalous behavior.
Analyst notes and limits

This object is a detection analytic, not a specific ATT&CK technique. Its practical value depends on whether the organization can combine network-level anomaly evidence with endpoint process and command-line context. The supplied platform is PRE and no tactics or relationships were provided, so the take remains focused on general enterprise detection validation rather than a specific attack stage.

The official object provides a description but no separate official detection field, no ATT&CK tactic mapping, and no relationship context. No claims can be made about active exploitation, actor use, impact, or guaranteed coverage. Local baselines and telemetry availability are required to operationalize this analytic.

Official MITRE ATT&CK definition

Analytic 1999

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d397494b8cca6a95...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d397494b8cca…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1999
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use