AN0194: Analytic 0194
Detects file transfers or mounting operations from remote hosts followed by write actions into a local staging directory, often using SMB or remote shell activity.
Analyst context for executives and security teams
This analytic matters because remote file transfer or remote share mounting followed by writes into a local staging directory can be an early sign that a Windows host is being used to collect, prepare, or move files during an intrusion. For leaders, the decision value is whether the organization can see remote-to-local file movement patterns clearly enough to support fast investigation before data handling, lateral movement, or follow-on activity becomes harder to contain.
Executive priority
Prioritize this as a coverage validation item for Windows monitoring, managed detection, and incident response readiness. The key business question is not whether this single analytic is enabled, but whether SOC teams can prove they collect enough endpoint, file, network, and authentication evidence to explain who connected from where, what was mounted or transferred, what was written locally, and whether the activity was expected administration or suspicious staging.
Technical view
For Windows environments, validate detections that correlate remote host file-transfer or mounting activity with subsequent write actions into local staging locations. Because the supplied ATT&CK object does not provide a formal detection implementation or tactics, teams should treat this as a behavioral detection concept rather than a complete rule. SOC and detection engineers should test whether telemetry can link remote SMB or remote shell-related activity to local file creation or modification events, with context on source host, destination host, user account, process, path, timestamp sequence, and volume of writes.
Likely telemetry
- Windows endpoint file creation and modification events for local staging directories
- SMB session, share access, or remote file access logs where available
- Process execution telemetry showing remote shell or administrative tooling activity
- Windows authentication and logon events linking user, source host, and destination host
- Network connection metadata between remote hosts and the Windows system
Detection direction
- Validate correlation logic that requires both a remote transfer or mount indicator and subsequent local write activity, rather than alerting on file writes alone.
- Tune expected administrative software deployment, backup, patching, and IT file-copy workflows to reduce false positives.
- Confirm whether staging directory definitions are explicit and environment-specific; generic temporary, user profile, or shared paths may require different thresholds.
- Review blind spots where SMB, remote shell activity, or file-write telemetry is not collected, is retained too briefly, or cannot be tied to a user and source host.
- Use sequence timing, write volume, file types, source host reputation, and account context to prioritize investigations.
Mitigation priorities
- First, ensure Windows endpoint and authentication logging can support investigation of remote-to-local file movement.
- Restrict and monitor administrative remote access paths, including SMB and remote shell usage, according to least privilege and operational need.
- Harden access to directories commonly used for staging by limiting unnecessary write permissions and monitoring unusual write patterns.
- Document approved IT transfer, deployment, and maintenance workflows so SOC teams can distinguish expected operations from suspicious staging behavior.
- Include this behavior in incident response playbooks so analysts know how to preserve host, account, network, and file evidence quickly.
Analyst notes and limits
AN0194 is a detection analytic in the enterprise ATT&CK domain for Windows. The official description is specific enough to guide telemetry validation, but the object does not include an official detection query, tactic mapping, or relationship context. Treat it as a practical detection coverage pattern for remote file movement followed by local staging writes.
The supplied ATT&CK fields do not identify specific tactics, techniques, related objects, adversaries, procedures, or an implementation-ready detection. Local environment baselines are required to define staging paths, expected administrative transfer behavior, and meaningful thresholds.
Analytic 0194
Detects file transfers or mounting operations from remote hosts followed by write actions into a local staging directory, often using SMB or remote shell activity.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6f154d395155… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0194Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.