Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0211: Analytic 0211

Detects abuse of Mono/.NET Core environments to execute VB-like scripts, often in environments with Office emulation or WINE. Focus is on rare invocations of scripting hosts like mono.exe or .NET shells, often seen in spam filtering or forensic labs with Office support.

EnterpriseAN0211AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because Mono/.NET Core and Office-emulation stacks on Linux can create an unusual path for script execution in environments that may not be monitored like standard user endpoints. For leaders, the practical question is whether Linux-based mail filtering, sandboxing, forensic, or lab systems that support Office/WINE-style processing have enough visibility to distinguish legitimate document handling from rare scripting-host execution.

Executive priority

Prioritize this as a coverage-validation item for specialized Linux systems rather than as a broad enterprise threat claim. Security leaders should ask whether spam filtering, malware analysis, forensic lab, and Office-emulation environments are inventoried, monitored, and governed, because these systems often process untrusted content and may sit outside normal endpoint detection assumptions. The business value is in reducing blind spots around systems that support continuity of email security, investigation workflows, and evidence handling.

Technical view

ATT&CK lists this detection analytic for Linux and describes detection of rare invocations of scripting hosts such as mono.exe or .NET shells used to execute VB-like scripts, particularly around Office emulation or WINE. Because no official detection logic or tactics are supplied, SOC teams should treat this as a hypothesis to validate: identify where Mono/.NET Core, WINE, or Office-emulation tooling exists; baseline normal process execution; and alert on uncommon script-host launches, unusual command lines, or unexpected parent processes from mail, sandbox, lab, or document-processing workflows.

Likely telemetry

  • Linux process creation events with executable name, path, command line, user, working directory, and parent process
  • EDR or host audit telemetry from Linux systems running Mono/.NET Core, WINE, Office emulation, spam filtering, or forensic tooling
  • Package or asset inventory showing where Mono, .NET Core, WINE, or Office-support components are installed
  • File creation and script artifact telemetry in temporary, mail-processing, sandbox, or forensic work directories
  • Email security, sandbox, or lab workflow logs that show document processing context around process execution

Detection direction

  • Build an allowlist or baseline for expected Mono/.NET Core and WINE-related execution on Linux systems that legitimately perform Office emulation or document analysis.
  • Tune for rarity: unexpected mono.exe or .NET shell invocations, VB-like script execution indicators in command lines, and launches from mail-processing, sandbox, temporary, or forensic directories should receive higher scrutiny.
  • Correlate process events with the surrounding workflow, such as email attachment handling or lab analysis, to reduce false positives from legitimate spam filtering or forensic activity.
  • Validate that Linux telemetry is collected from specialized security infrastructure, not only from standard servers and workstations.
  • Document blind spots explicitly: ATT&CK provides no official detection query, no tactic mapping, and no relationship context for this analytic.

Mitigation priorities

  • Inventory Linux systems where Mono/.NET Core, WINE, or Office-emulation components are installed and confirm business justification.
  • Limit these tools to approved hosts and workflows; remove or disable them where they are not required.
  • Apply least privilege and execution controls around mail-processing, sandbox, and forensic lab environments that handle untrusted content.
  • Ensure host logging and EDR coverage are enabled before relying on these systems for security or investigation workflows.
  • Use the inventory and monitoring evidence as audit support for controls over specialized document-processing and analysis environments.
Analyst notes and limits

This is a detection analytic object, not a full ATT&CK technique. The supplied description is most useful for identifying a monitoring gap around rare Mono/.NET Core scripting-host activity on Linux, especially in environments that emulate Office behavior or use WINE. Relationship context is not supplied, so no inference is made about specific adversaries, campaigns, techniques, or impacts.

The official object provides a description but no detection logic, tactic mapping, relationships, or mitigations. Local baselining is required to determine what is rare or suspicious, and legitimate spam filtering or forensic lab activity may resemble the behavior described.

Official MITRE ATT&CK definition

Analytic 0211

Detects abuse of Mono/.NET Core environments to execute VB-like scripts, often in environments with Office emulation or WINE. Focus is on rare invocations of scripting hosts like mono.exe or .NET shells, often seen in spam filtering or forensic labs with Office support.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
06a3f9d3ba479272...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 06a3f9d3ba47…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0211
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use