AN0178: Analytic 0178
Behavioral chain: (1) a user-facing app (browser/Office/email client) launches a URL or handles a link, then (2) the same process lineage makes an outbound connection to an untrusted domain/IP, (3) a file is downloaded or unpacked to a user-writable location shortly after the click. Optional enrichment: subsequent child execution by LOLBINs.
Analyst context for executives and security teams
AN0178 describes a Windows detection analytic for a common early-stage intrusion pattern: a user-facing application such as a browser, Office app, or email client handles a link, reaches out to an untrusted destination, and soon after writes or unpacks a file in a user-writable location. For leaders, the value is not just “detect a download”; it is validating whether the organization can connect user action, network destination, file creation, and later child-process execution into one incident story quickly enough to contain malware or phishing-driven compromise.
Executive priority
Prioritize this analytic as a readiness check for phishing, drive-by download, and user-initiated initial access response on Windows endpoints. It helps answer practical business questions: can the SOC prove what user clicked, what external destination was contacted, what file landed, and whether it executed? Gaps in this chain can slow containment, weaken audit evidence, and increase uncertainty during executive incident decisions. Because ATT&CK provides no relationship context or official detection logic here, this should be treated as a coverage validation opportunity rather than a guaranteed detection outcome.
Technical view
Validate whether Windows endpoint, network, and file telemetry can correlate the same process lineage across: a browser, Office application, or email client handling a URL or link; an outbound connection to an untrusted domain or IP; and a file download or unpack operation into a user-writable path shortly afterward. Where available, enrich with child-process execution, especially when the downloaded content is followed by LOLBIN activity. Detection engineering should focus on time-windowed correlation and parent/child process lineage rather than isolated events, since any single element may be benign.
Likely telemetry
- Windows process creation and parent/child process lineage
- URL or link handling events from browsers, Office applications, or email clients
- Outbound network connection logs with domain/IP destination context
- File creation, download, or archive unpacking events
- File path context for user-writable locations
Detection direction
- Build or validate correlation across click/link handling, outbound connection, and file write or unpack activity within a short time window.
- Tune around common benign software update, document download, browser cache, and enterprise file-sharing workflows to reduce false positives.
- Require process lineage where possible so the SOC can distinguish user-facing application activity from unrelated background downloads.
- Validate whether 'untrusted domain/IP' is defined consistently using local allowlists, reputation sources, proxy/DNS context, or security policy.
- Add severity when the same lineage spawns later child execution by LOLBINs, while avoiding assumptions of maliciousness without local evidence.
Mitigation priorities
- Ensure Windows endpoint logging captures process creation, lineage, file creation, and network connection context needed for this analytic.
- Harden and monitor user-facing applications that handle links, including browsers, Office applications, and email clients, consistent with organizational policy.
- Restrict or monitor execution from user-writable locations where feasible, especially following internet-originated downloads.
- Maintain allowlists and reputation context for known business domains to support accurate untrusted-destination decisions.
- Use incident response playbooks that preserve the click-to-download-to-execution chain for containment and evidence.
Analyst notes and limits
This is a detection analytic object, not a technique description. The supplied ATT&CK fields identify Windows as the platform and describe the intended behavioral chain, but no tactic, official detection text, aliases, labels, or relationships were supplied. The strongest operational use is as a test of correlation maturity across endpoint, network, and file telemetry.
The source does not provide formal detection logic, thresholds, data source definitions, related techniques, threat actors, software, campaigns, mitigations, or active exploitation context. Local environment baselines are required to define untrusted destinations, user-writable locations of concern, acceptable download behavior, and false-positive handling.
Analytic 0178
Behavioral chain: (1) a user-facing app (browser/Office/email client) launches a URL or handles a link, then (2) the same process lineage makes an outbound connection to an untrusted domain/IP, (3) a file is downloaded or unpacked to a user-writable location shortly after the click. Optional enrichment: subsequent child execution by LOLBINs.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ae9ee280ba92… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0178Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.