AN0922: Analytic 0922

Unusual process (e.g., `rundll32`, `mshta`, `wscript`, or custom payloads) initiates network connection to external IPs/domains that proxy C2 traffic, often over uncommon ports or high entropy HTTP/S connections.

EnterpriseAN0922AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

This analytic matters because it points to a common defensive decision point on Windows: trusted or commonly abused processes making suspicious outbound connections. For leaders, the issue is not just malware detection; it is whether the organization can quickly see, explain, and contain unusual external communications from endpoints before they become a larger incident.

Executive priority

Prioritize validation of endpoint and network visibility for Windows systems, especially where business-critical workstations or servers can initiate outbound internet traffic. This supports incident response readiness, SOC triage quality, and audit evidence that outbound command-and-control-like behavior would be noticed and investigated. Because the ATT&CK object provides no tactic mapping or relationship context, treat this as a coverage validation item rather than proof of a specific campaign or threat actor.

Technical view

For SOC and detection engineering teams, validate whether Windows telemetry can correlate process execution with outbound network connections. The supplied analytic focuses on unusual processes such as rundll32, mshta, wscript, or custom payloads initiating connections to external IPs or domains, particularly over uncommon ports or with high-entropy HTTP/S characteristics. Detection should emphasize process-to-destination context, rarity, parent-child process behavior, command-line context where available, destination reputation or novelty, port/protocol mismatch, and whether the endpoint normally communicates externally in that pattern.

Likely telemetry

Windows process creation events with process name, command line, parent process, user, and host
Endpoint network connection telemetry linking process to destination IP, domain, port, protocol, and timestamp
DNS query logs and resolver telemetry for contacted domains
Proxy, secure web gateway, firewall, or egress logs for outbound HTTP/S and uncommon-port traffic
TLS or HTTP metadata where legally and operationally available, including SNI, user agent, JA3/JA4-style fingerprints, URI patterns, and request volume

Detection direction

Confirm the SOC can join Windows process telemetry to outbound network events; without process-to-network correlation, this analytic will be much weaker.
Baseline normal use of rundll32, mshta, wscript, and similar Windows processes to reduce false positives from legitimate administration, software updates, or enterprise scripts.
Prioritize alerts where these processes contact new, rare, external, or low-reputation destinations, especially over uncommon ports or unusual HTTP/S patterns.
Tune for environment context: developer systems, IT admin workstations, automation hosts, and legacy applications may generate legitimate but unusual scripting or network behavior.
Review blind spots such as unmanaged endpoints, disabled command-line logging, encrypted traffic with limited metadata, direct-to-internet egress that bypasses proxy logging, and NAT environments that obscure host attribution.

Mitigation priorities

Ensure Windows endpoint logging and EDR coverage capture both process activity and network connections on systems with internet access.
Restrict unnecessary outbound internet access from endpoints and servers using egress controls, proxies, and firewall policy appropriate to business function.
Apply application control or script interpreter restrictions where feasible for high-risk utilities and scripting hosts, while accounting for legitimate operational dependencies.
Harden administrative workflows so legitimate use of rundll32, mshta, wscript, and similar utilities is documented, attributable, and distinguishable from anomalous activity.
Maintain response procedures for rapid host isolation, destination blocking, DNS/proxy review, and collection of process, command-line, and network artifacts when this behavior is observed.

Analyst notes and limits

This is a detection analytic object for Windows in the enterprise ATT&CK domain. It describes suspicious outbound network behavior from unusual or commonly abused processes, but it does not provide official detection logic, ATT&CK tactics, related techniques, procedures, groups, software, or mitigations. Glexia would treat this as a practical coverage-check analytic: can the organization prove it can see and investigate this behavior end to end?

The supplied ATT&CK fields are sparse. No relationship context, tactic mapping, or official detection text was provided, so this take cannot infer attribution, active exploitation, specific malware, impact, or guaranteed detection coverage. Local baselines, endpoint tooling, proxy architecture, and logging retention determine whether the analytic is actionable.

Official MITRE ATT&CK definition

Analytic 0922

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: dec3d65491cf2a5b...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	Jun 3, 2026, 07:54 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`dec3d65491cf…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0922
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use