AN0055: Analytic 0055
Executable or script payloads lacking symbol information and readable strings that are created or dropped by unusual or short-lived processes.
Analyst context for executives and security teams
This analytic is about spotting suspicious Windows payloads that appear intentionally opaque: executables or scripts with little symbol information and few readable strings, especially when they are created or dropped by unusual or short-lived processes. For leaders, the value is not that this proves malware, but that it can highlight payload staging behavior that may otherwise evade simple filename, hash, or signature-based review.
Executive priority
Prioritize this as a coverage-validation question for Windows monitoring and incident response readiness. Security leaders should ask whether teams can connect newly created executable or script files to the process that created them, determine whether that parent process is unusual or short-lived, and preserve enough file metadata for triage. This supports operational resilience by improving early investigation of suspicious payload staging, but it should be treated as a risk signal requiring context rather than a standalone finding.
Technical view
For SOC and detection engineering teams, validate whether Windows telemetry can correlate file creation events for executable or script payloads with process lineage and process lifetime. The analytic’s key decision points are: the created object appears to lack symbol information and readable strings, and the creator process is unusual or short-lived. Because no official detection logic or ATT&CK tactic mapping is supplied, teams should implement this as a triage-oriented analytic and test it against known administrative tools, software installers, build systems, and endpoint management activity before using it for high-severity alerting.
Likely telemetry
- Windows file creation events for executable and script-like payloads
- Process creation and termination telemetry, including process lineage
- File metadata and static characteristics, including presence or absence of symbols and readable strings
- Timestamps needed to identify short-lived creator processes
- Host context for whether the creating process is expected or unusual
Detection direction
- Validate that file creation telemetry can be joined to the creating process and its parent process on Windows systems.
- Tune for local baselines: software deployment tools, installers, compilers, packagers, and administrative scripts may create files with limited strings or symbols.
- Treat absence of symbols and readable strings as a suspicious characteristic, not proof of maliciousness.
- Add investigation context around process rarity, process lifetime, execution path, user context, and whether the created payload subsequently executes.
- Because no official detection text is provided, document local logic, thresholds, false-positive handling, and evidence retention requirements.
Mitigation priorities
- Ensure Windows endpoint logging captures process creation, process termination or duration, and file creation metadata with sufficient retention for incident response.
- Establish baselines for expected software installation, scripting, packaging, and administrative activity that may create opaque payloads.
- Use application control, script control, and least-privilege practices where appropriate to reduce unauthorized payload creation and execution.
- Define SOC triage playbooks for suspicious newly created executables or scripts, including file collection, static review, process lineage review, and host containment decision points.
- Review whether compliance evidence can demonstrate monitoring and investigation of suspicious file creation and process lineage on Windows endpoints.
Analyst notes and limits
This is a detection analytic object, not a technique. Its practical value is in enriching endpoint triage around suspicious payload creation. The supplied ATT&CK fields identify Windows as the platform and describe the analytic behavior, but do not provide tactics, related techniques, detection pseudocode, data components, mitigations, or relationship context.
No official detection logic, tactics, aliases, labels, or relationships were supplied. Conclusions should therefore be limited to Windows monitoring and triage coverage for the described analytic behavior. Local telemetry quality and environment-specific baselines are required before assigning alert severity or measuring coverage.
Analytic 0055
Executable or script payloads lacking symbol information and readable strings that are created or dropped by unusual or short-lived processes.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4e37b18ba517… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0055Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.