AN2031: Analytic 2031

Detection of HTTP outbound requests with inconsistent or spoofed User-Agent headers from command-line tools (e.g., curl, wget, python requests) following interactive user shells or scheduled jobs outside of normal user session behavior.

EnterpriseAN2031AnalyticObject v1.0 Modified Oct 24, 2025, 15:04 UTC (UTC+00:00)

This analytic focuses on Linux systems making outbound HTTP requests where command-line tools such as curl, wget, or Python requests appear to use inconsistent or spoofed User-Agent headers, especially after interactive shells or scheduled jobs. For leaders, the value is not the header itself; it is whether the organization can distinguish normal automation from suspicious command-line web activity that may indicate unauthorized tooling, scripts, or post-compromise behavior.

Executive priority

Prioritize this as a validation point for Linux monitoring, egress visibility, and SOC triage quality. The business question is whether teams can explain outbound HTTP activity from servers and workstations, especially when it originates outside expected user sessions or approved scheduled jobs. This supports incident decision-making, compliance evidence around monitoring, and resilience of Linux-hosted services where unmanaged scripts or unobserved egress can create investigation blind spots.

Technical view

SOC and detection engineering teams should validate whether Linux process execution, shell activity, scheduled job execution, and outbound HTTP telemetry can be correlated. The analytic is aimed at requests from command-line tools with User-Agent values that do not match the expected tool behavior or normal local baselines. Because no official detection logic is supplied, implementation should be environment-specific and tuned around known automation, package management, monitoring scripts, backup jobs, and administrative workflows.

Likely telemetry

Linux process creation events showing command-line execution of tools such as curl, wget, or Python-based HTTP clients
Parent-child process context for interactive shells and scheduled job execution
Scheduled task or job telemetry, such as cron or other Linux job runners where available
Outbound HTTP request metadata, including destination, timestamp, method where available, and User-Agent header
Network proxy, web gateway, firewall, or egress logs capable of preserving HTTP header information

Detection direction

Correlate outbound HTTP requests with Linux process execution and parent process context rather than relying on User-Agent strings alone.
Build allowlists or baselines for approved automation that legitimately uses curl, wget, or Python requests, including scheduled jobs and operational scripts.
Look for mismatch patterns, such as a command-line client presenting a browser-like or otherwise unusual User-Agent, but treat this as a triage signal requiring supporting context.
Tune for known administrative and infrastructure workflows to reduce false positives from patching, monitoring, deployment, and data transfer jobs.
Identify blind spots where proxy logs do not retain User-Agent headers, Linux hosts do not provide process telemetry, or scheduled job execution is not centrally logged.

Mitigation priorities

Establish an inventory of approved Linux automation that performs outbound HTTP requests and document expected destinations and User-Agent behavior where practical.
Improve Linux endpoint logging for process creation, shell activity, and scheduled job execution before relying on this analytic for response decisions.
Ensure outbound HTTP telemetry from proxies, gateways, or firewalls is retained with sufficient metadata to support correlation.
Apply egress governance so Linux systems have only the outbound access required for business and operational needs.
Use incident response playbooks that verify process lineage, job ownership, destination legitimacy, and change history before escalating or closing alerts.

Analyst notes and limits

ATT&CK provides this as detection analytic AN2031 for Linux and describes the behavioral focus, but does not supply detection logic, tactics, relationships, or associated techniques in the provided fields. The strongest defensive value comes from correlating host and network evidence to separate sanctioned automation from suspicious command-line web activity.

Coverage cannot be inferred from this object alone. The supplied data does not identify affected tactics, related techniques, threat actors, malware, or mitigations. Local baselines, approved job inventories, and available HTTP header/process telemetry are required to implement and assess this analytic.

Official MITRE ATT&CK definition

Analytic 2031

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 23, 2025, 14:24 UTC (UTC+00:00)
Modified: Oct 24, 2025, 15:04 UTC (UTC+00:00)
Raw hash: cdc8e408ab6dc3a7...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 24, 2025, 15:04 UTC (UTC+00:00)	Current bundle	`cdc8e408ab6d…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN2031
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use