Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0065: Analytic 0065

Adversary stages a lure that references a remote resource (e.g., LNK/SCF/Office template). When the user opens/renders the file or a shell enumerates icons, the host automatically attempts SMB or WebDAV authentication to the attacker host. The chain is: (1) lure file is created or modified in a user-exposed location → (2) user or system accesses the lure → (3) host makes outbound NTLM (SMB 139/445 or WebDAV over 80/443) to an untrusted destination → (4) repeated attempts from multiple users/hosts or from privileged workstations.

EnterpriseAN0065AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic describes a Windows credential-exposure pattern: a user-visible lure file references a remote resource, causing the workstation to automatically attempt NTLM authentication over SMB or WebDAV to an untrusted destination. The business issue is not just the file itself; it is whether the organization can see and control unexpected outbound authentication before credentials from users or privileged workstations are exposed.

Executive priority

Prioritize this as an identity and incident-readiness validation item for Windows environments. Leaders should ask whether outbound SMB/WebDAV authentication is restricted, whether privileged workstations are treated differently, and whether the SOC can identify repeated authentication attempts from multiple users or hosts to untrusted destinations. This can support control assurance, audit evidence, and faster incident decisions when suspicious lure files or outbound NTLM activity are found.

Technical view

For SOC, detection engineering, and IR teams, validate coverage across the described chain: creation or modification of a lure file in a user-exposed location; user or shell access/rendering of that file; outbound NTLM over SMB ports 139/445 or WebDAV over 80/443 to an untrusted destination; and repeated attempts from multiple users, hosts, or privileged workstations. Because no official detection logic is provided, teams should build detections around correlated endpoint file activity plus network authentication behavior rather than a single indicator.

Likely telemetry

  • Windows endpoint file creation/modification events in user-accessible locations
  • Process or shell activity associated with opening, rendering, or enumerating files
  • Outbound network connection logs for SMB 139/445 and WebDAV over 80/443
  • Authentication telemetry showing NTLM attempts to external or otherwise untrusted destinations
  • Proxy, firewall, DNS, or network sensor data identifying destination reputation and trust boundaries

Detection direction

  • Validate whether telemetry can correlate lure-file activity with subsequent outbound NTLM authentication attempts from the same host.
  • Tune for untrusted or external destinations rather than all SMB/WebDAV activity to reduce false positives from legitimate internal file services.
  • Prioritize alerts when attempts repeat across multiple users or hosts, or originate from privileged workstations.
  • Review blind spots around WebDAV over common web ports 80/443, which may blend into normal web traffic if authentication details are not logged.
  • Because ATT&CK provides no official detection text or relationship context for this object, local baselines are required to distinguish normal enterprise file access from suspicious outbound authentication.

Mitigation priorities

  • Restrict or monitor outbound SMB and unnecessary WebDAV authentication from Windows endpoints, especially to untrusted destinations.
  • Apply stronger controls and monitoring for privileged workstations and privileged users.
  • Harden user-exposed file locations and improve inspection of files that reference remote resources where feasible.
  • Ensure incident response playbooks cover credential-exposure triage, including identifying affected users, hosts, destinations, and repeated authentication attempts.
  • Use the analytic as a control-validation scenario for identity, endpoint, and network monitoring rather than as a standalone guarantee of detection.
Analyst notes and limits

The supplied object is a MITRE detection analytic for Windows with a clear behavioral chain but no official detection implementation and no ATT&CK relationship context. The most defensible use is as a validation case for outbound NTLM exposure, endpoint/network telemetry correlation, and privileged workstation monitoring.

Tactics, relationships, labels, aliases, and official detection text were not supplied. This take does not infer specific malware, threat actors, active exploitation, business impact, or guaranteed detection coverage. Local environment architecture, trust boundaries, and logging quality determine practical applicability.

Official MITRE ATT&CK definition

Analytic 0065

Adversary stages a lure that references a remote resource (e.g., LNK/SCF/Office template). When the user opens/renders the file or a shell enumerates icons, the host automatically attempts SMB or WebDAV authentication to the attacker host. The chain is: (1) lure file is created or modified in a user-exposed location → (2) user or system accesses the lure → (3) host makes outbound NTLM (SMB 139/445 or WebDAV over 80/443) to an untrusted destination → (4) repeated attempts from multiple users/hosts or from privileged workstations.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
fde554b8a3fce6dc...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle fde554b8a3fc…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0065
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use