AN2050: Analytic 2050
Monitor for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.
Monitor for hosts enumerating network connected resources using non-ICS enterprise protocols.
Analyst context for executives and security teams
This analytic matters because scanning with ordinary enterprise protocols can be an early sign that a host is mapping reachable systems inside or around an ICS environment. For leaders, the key decision is whether the organization can see a newly started process begin connecting to many systems, especially where enterprise IT visibility overlaps with operational technology networks.
Executive priority
Prioritize this as a visibility and resilience question for ICS-connected environments: can security teams prove they collect enough process and network evidence to identify host enumeration before it becomes a larger operational incident? This supports SOC readiness, incident triage, segmentation validation, and compliance evidence around monitoring of systems that could affect cyber-physical operations.
Technical view
Validate whether process creation telemetry can be correlated with network connection data to identify new processes that scan or connect to multiple systems. Because no ATT&CK platform, tactic, or relationship context is supplied, tune this around local ICS/enterprise boundary architecture and known administrative behavior. Focus on hosts enumerating network-connected resources using non-ICS enterprise protocols, and confirm the SOC can distinguish expected management, inventory, backup, or vulnerability scanning activity from unusual process-driven enumeration.
Likely telemetry
- Process creation events with process name, path, command line, user, parent process, and host
- Network connection records showing source host, destination systems, ports/protocols, timestamps, and connection counts
- Host-to-host communication summaries or flow data for identifying one-to-many connection patterns
- Asset inventory or network zone context to distinguish ICS, enterprise, and boundary systems
- Known authorized scanning, administration, and inventory tool activity for allowlisting or comparison
Detection direction
- Correlate new or uncommon process starts with a burst of connections to multiple systems over non-ICS enterprise protocols.
- Baseline legitimate administrative, asset discovery, vulnerability scanning, backup, and monitoring tools to reduce false positives.
- Look for source hosts that do not normally enumerate many peers, especially near ICS/enterprise boundaries or within sensitive operational network segments.
- Validate time-window and threshold logic locally; overly broad connection-count rules may alert on normal management activity, while narrow rules may miss slower enumeration.
- Confirm analysts can pivot from a process to its user, parent process, destination set, and asset criticality during triage.
Mitigation priorities
- Establish and maintain authoritative inventories of systems, approved scanning tools, and expected administrative workflows.
- Segment and restrict unnecessary enterprise-protocol reachability into or across ICS-relevant networks.
- Limit who and what can perform broad network enumeration, using least privilege and approved administration paths.
- Ensure incident response playbooks include containment and validation steps for hosts performing unexpected multi-system connections.
- Use this analytic as evidence to test whether logging, correlation, and asset context are sufficient for ICS monitoring objectives.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique, and provides a short description without official detection logic, tactics, platforms, or relationships. The most useful interpretation is defensive validation: correlate process creation with network activity to identify host-based enumeration of network resources using non-ICS enterprise protocols.
No official detection field, platform list, tactics, mitigations, data source mappings, or relationship context were supplied. Local network architecture, authorized scanning practices, and available telemetry are required before converting this into production detection logic.
Analytic 2050
Monitor for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.
Monitor for hosts enumerating network connected resources using non-ICS enterprise protocols.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 790dbc7215f1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN2050Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.