Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0498: Analytic 0498

Correlated evidence of anomalous browser/network behavior (suspicious external resource fetches and script injection patterns) followed by atypical child processes, ephemeral execution contexts, memory modification or process injection, and unexpected file drops. Defender sees network requests to previously unseen/suspicious domains or resources + browser process spawning unusual children or loading unsigned modules + file writes or registry changes shortly after those requests.

EnterpriseAN0498AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is important because it describes a Windows browser-centered chain of evidence: suspicious external web resources or script injection indicators followed by unusual browser child processes, unsigned module loads, memory or process manipulation, and unexpected file or registry changes. For leaders, the value is not a single alert; it is whether the organization can correlate web, endpoint, process, module, file, and registry evidence quickly enough to determine whether browser activity has become host execution activity.

Executive priority

Prioritize this as a validation of SOC and incident response readiness for browser-to-endpoint intrusion paths on Windows. Executives should ask whether teams can prove collection and correlation across network requests, browser process behavior, file writes, registry changes, and memory/process activity. This supports operational resilience, audit evidence for monitoring coverage, and better triage decisions when suspicious web activity is followed by local execution artifacts.

Technical view

For Windows environments, validate correlation logic that links suspicious or previously unseen external browser resource requests with subsequent endpoint behavior from the browser process or nearby process tree. Key validation points include unusual child processes, unsigned module loads, short-lived execution contexts, file drops, registry changes, memory modification, or process injection-like telemetry shortly after the network activity. Because no official detection logic or tactics are supplied, teams should treat this as an analytic pattern to operationalize and tune rather than a complete rule.

Likely telemetry

  • DNS and web/proxy requests from Windows browser processes, including destination domain, URL/resource, timing, and reputation or novelty context
  • Endpoint process creation events showing browser parent/child relationships
  • Module load telemetry, especially unsigned or unusual modules loaded by browser-related processes
  • File creation/write events occurring shortly after suspicious browser requests
  • Registry modification events near the same time window

Detection direction

  • Validate that alerts require correlation across multiple evidence types rather than relying only on a suspicious domain or a single process event.
  • Tune for time proximity between browser/network activity and endpoint changes such as unusual child processes, unsigned module loads, file writes, or registry updates.
  • Review false positives from legitimate browser extensions, enterprise web applications, software update flows, security tools, and browser helper processes.
  • Confirm whether telemetry can distinguish normal browser child processes from atypical execution contexts in the local environment.
  • Identify blind spots where proxy/DNS logs are not tied to host process context or where endpoint tools do not capture module loads, registry changes, or memory-related signals.

Mitigation priorities

  • Ensure Windows endpoint monitoring captures process creation, file, registry, module load, and relevant memory/process behavior events.
  • Maintain web/DNS/proxy logging with enough detail to identify suspicious or previously unseen external resources accessed by browsers.
  • Improve correlation between network telemetry and endpoint process lineage so SOC teams can reconstruct browser-to-host activity.
  • Harden browser and endpoint configurations using existing enterprise controls, with attention to extension governance, script exposure, and unauthorized execution paths where applicable.
  • Prepare incident response playbooks for browser-originated suspicious execution, including host isolation criteria, evidence preservation, and scoping across similar network requests.
Analyst notes and limits

This object is a detection analytic, AN0498, for Windows in the enterprise ATT&CK domain. The official description is correlation-oriented and describes the evidence sequence, but no official detection logic, tactics, or relationship context are supplied. The most defensible use is as a coverage assessment and detection engineering pattern for browser/network activity followed by endpoint execution and modification artifacts.

Assessment is limited to the supplied STIX fields and external reference. No active exploitation, attribution, specific technique mapping, guaranteed detection method, or non-Windows platform coverage is supported by the provided data. Local baselining is required to determine what is anomalous in a given environment.

Official MITRE ATT&CK definition

Analytic 0498

Correlated evidence of anomalous browser/network behavior (suspicious external resource fetches and script injection patterns) followed by atypical child processes, ephemeral execution contexts, memory modification or process injection, and unexpected file drops. Defender sees network requests to previously unseen/suspicious domains or resources + browser process spawning unusual children or loading unsigned modules + file writes or registry changes shortly after those requests.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
cea8c94f1f2c3b32...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle cea8c94f1f2c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0498
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use