Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0331: Analytic 0331

Detects execution of image viewers or PowerShell scripts accessing or decoding files with mismatched MIME headers or embedded script-like byte patterns; often correlated with suspicious parent-child process lineage and outbound connections.

EnterpriseAN0331AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Analytic 0331 is a Windows-focused detection analytic for suspicious file handling where image viewers or PowerShell access or decode files whose MIME/header content does not match expectations or that contain script-like byte patterns. The practical value is early warning that a seemingly benign file workflow may be hiding executable or script content, especially when paired with unusual process lineage or outbound network activity.

Executive priority

Prioritize this as a validation point for SOC and incident response readiness rather than as a standalone risk statement. Leaders should ask whether Windows endpoint telemetry, process lineage, file-content inspection, and outbound connection evidence are available quickly enough to investigate suspicious document or image-driven activity. It can support control prioritization around endpoint visibility, script execution oversight, and evidence needed for incident decisions or compliance reporting.

Technical view

For Windows environments, validate whether detections can correlate three evidence areas: image viewer or PowerShell execution, access to or decoding of files with mismatched MIME headers or embedded script-like byte patterns, and suspicious parent-child process lineage plus outbound connections. Because no ATT&CK tactic or formal detection logic is supplied, teams should treat this as an analytic concept requiring local implementation, baselining, and false-positive review.

Likely telemetry

  • Windows process creation events, including command line, parent process, and child process lineage
  • PowerShell execution telemetry, including script block or command logging where available
  • File access or file inspection metadata showing MIME/header mismatch or embedded script-like byte patterns
  • Endpoint detection telemetry for image viewer processes accessing unusual files
  • Network connection telemetry from endpoints, especially outbound connections correlated to the same process tree

Detection direction

  • Confirm that process creation and parent-child lineage are collected for Windows hosts where image viewers and PowerShell are in use.
  • Validate whether security tooling can identify mismatched MIME headers or embedded script-like byte patterns; many environments collect process data but not file-content evidence.
  • Correlate file anomalies with execution context and outbound connections rather than alerting on file mismatch alone, which may generate benign noise from malformed or uncommon files.
  • Tune against known business workflows that legitimately process images, archives, transformed media, or scripted automation.
  • Investigate PowerShell involvement carefully, but avoid assuming maliciousness without supporting lineage, file anomaly, or network evidence.

Mitigation priorities

  • Ensure Windows endpoint logging and retention are sufficient for process lineage, PowerShell activity, file access, and outbound network investigation.
  • Harden script execution governance and monitoring where PowerShell is used operationally.
  • Review controls around handling untrusted files and file types, especially where user-facing applications open external content.
  • Prioritize correlation capability between endpoint, file analysis, and network telemetry before relying on this analytic for response decisions.
  • Use incident response playbooks that preserve the suspicious file, process tree, user context, and network destinations for analysis.
Analyst notes and limits

This take is based only on the supplied ATT&CK analytic fields. The object describes a detection analytic, not an adversary technique, and no relationships, tactics, aliases, or official detection logic were provided. Treat it as guidance for validating a detection use case rather than proof of existing coverage or confirmed threat activity.

Coverage depends on local Windows telemetry quality, file inspection capability, PowerShell logging configuration, and correlation across endpoint and network data. The supplied object does not specify exact detection logic, severity, adversary usage, impacted software, or ATT&CK technique relationships.

Official MITRE ATT&CK definition

Analytic 0331

Detects execution of image viewers or PowerShell scripts accessing or decoding files with mismatched MIME headers or embedded script-like byte patterns; often correlated with suspicious parent-child process lineage and outbound connections.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b83fb136d99c935f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b83fb136d99c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0331
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use