AN0162: Analytic 0162
Correlate unauthorized or anomalous file modifications, deletions, or metadata changes with suspicious process execution or API calls. Detect abnormal changes to structured data (e.g., database files, logs, financial records) outside expected business process activity.
Analyst context for executives and security teams
AN0162 is a Windows-focused detection analytic for finding suspicious changes to important files or structured data by correlating file modifications, deletions, or metadata changes with unusual process execution or API activity. Its business value is in catching data tampering or unauthorized alteration of records before it undermines operations, investigations, reporting, or trust in critical business data.
Executive priority
Treat this as a data integrity and operational resilience control question: do security and operations teams know which Windows-hosted files, logs, database files, financial records, or other structured data should only change through approved business processes, and can they prove monitoring exists? This analytic supports SOC and incident response readiness by helping distinguish normal maintenance or application activity from suspicious modification patterns that may require rapid containment or forensic review.
Technical view
For Windows environments, validate whether file change events can be correlated with process execution and, where available, API-call telemetry. Detection engineering should focus on unauthorized or anomalous modifications, deletions, and metadata changes, especially against structured data such as database files, logs, or financial records. Because no ATT&CK tactic or relationship context is supplied, implementation should be driven by local knowledge of expected business processes, authorized applications, service accounts, maintenance windows, and normal data-change patterns.
Likely telemetry
- Windows file modification, deletion, and metadata change events
- File integrity monitoring or EDR file activity telemetry
- Process creation and process lineage telemetry
- API-call telemetry where collected by endpoint tooling
- Application, database, or business-process logs for structured data changes
Detection direction
- Baseline expected change activity for sensitive files and structured data, including approved applications, jobs, administrators, and maintenance windows.
- Correlate abnormal file changes with suspicious or unexpected process execution rather than alerting on file changes alone.
- Prioritize high-value records such as logs, database files, and financial records where unauthorized alteration could affect investigations, reporting, or operations.
- Tune for known-good backup, patching, indexing, database maintenance, and application update behavior to reduce false positives.
- Validate blind spots where Windows file auditing, EDR file telemetry, API visibility, or process command-line collection is incomplete.
Mitigation priorities
- Identify and classify Windows-hosted files and structured data where unauthorized modification would create business or compliance risk.
- Restrict write permissions to approved users, service accounts, and applications according to business need.
- Ensure endpoint, file integrity, and application logging are enabled for priority data locations.
- Document approved data-change processes so the SOC can compare observed activity against expected operations.
- Use incident response playbooks that preserve file, process, account, and timing evidence when suspicious data changes are detected.
Analyst notes and limits
The supplied object is a detection analytic, not a technique, and provides a high-level correlation concept rather than executable detection logic. Glexia would treat this as a validation item for Windows endpoint telemetry, data integrity monitoring, and SOC triage workflows around sensitive file and structured data changes.
No official detection logic, tactics, relationships, aliases, or non-Windows platforms were supplied. Coverage and alert quality depend on local telemetry, business-process baselines, and knowledge of which files or records are sensitive.
Analytic 0162
Correlate unauthorized or anomalous file modifications, deletions, or metadata changes with suspicious process execution or API calls. Detect abnormal changes to structured data (e.g., database files, logs, financial records) outside expected business process activity.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f4c298303609… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0162Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.