AN0516: Analytic 0516
Correlate suspicious file transfers over SMB or Admin$ shares with process creation events (e.g., cmd.exe, powershell.exe, certutil.exe) that do not align with normal administrative behavior. Detect remote file writes followed by execution of transferred binaries.
Analyst context for executives and security teams
This analytic matters because remote file copy followed by execution over Windows SMB/Admin$ paths is often the difference between routine administration and a hands-on intrusion moving across systems. For leaders, the practical question is whether the organization can distinguish approved administrative software deployment from suspicious remote writes and subsequent execution quickly enough to contain an incident.
Executive priority
Prioritize this as a Windows lateral-movement and incident-readiness validation item. It supports business continuity by testing whether SOC and IR teams can see remote file transfers, correlate them with process execution, and separate expected administrator activity from abnormal behavior. It is also useful as audit evidence for monitoring of privileged administrative activity and control over remote administration channels.
Technical view
Validate correlation between Windows SMB/Admin$ file-write activity and process creation events involving examples named in the ATT&CK analytic, such as cmd.exe, powershell.exe, and certutil.exe. The key defensive test is not a single event, but sequence and context: a remote file write followed by execution of the transferred binary, especially when it does not match known administrative patterns. Because no ATT&CK detection logic or relationship context is supplied, teams should build and tune this around local baselines for authorized admin tooling, software distribution, and remote support workflows.
Likely telemetry
- Windows process creation telemetry
- Remote SMB/Admin$ file-write or file-transfer evidence
- Host file creation or modification events on Windows systems
- Authentication and session context for remote administrative access
- Administrative activity baselines for known management tools and operators
Detection direction
- Confirm that process creation logging is available on Windows endpoints and includes command-line and parent/child process context where possible.
- Confirm visibility into SMB or Admin$ remote file writes; lack of this telemetry is a major blind spot for this analytic.
- Correlate remote file writes with subsequent execution on the destination host rather than alerting on either behavior alone.
- Tune against normal administrative behavior, including software deployment, patching, remote support, and scripted operations, to reduce false positives.
- Review events involving cmd.exe, powershell.exe, and certutil.exe in this context, but avoid limiting detection only to those examples because the official description frames them as examples.
Mitigation priorities
- Establish and document approved remote administration and software deployment patterns so detection teams have a baseline.
- Restrict and monitor use of administrative shares and privileged remote access on Windows systems according to operational need.
- Ensure endpoint and Windows logging policies capture process creation and relevant file activity needed for correlation.
- Use detection engineering and incident response exercises to test whether remote write-then-execute behavior triggers triage with sufficient context.
- Review exceptions regularly so legacy admin workflows do not become permanent blind spots.
Analyst notes and limits
The supplied object is a detection analytic for Windows. It provides a behavioral description but no official detection query, tactics, related techniques, procedures, or mitigations. The strongest use is as a validation prompt for SOC telemetry coverage and correlation logic around SMB/Admin$ file transfer followed by execution.
This take is limited to the official STIX fields, the MITRE external reference, and the absence of relationship context. It does not assert active exploitation, specific threat actors, affected products beyond Windows, or guaranteed detection coverage. Local environment baselines are required to determine what is suspicious versus authorized administration.
Analytic 0516
Correlate suspicious file transfers over SMB or Admin$ shares with process creation events (e.g., cmd.exe, powershell.exe, certutil.exe) that do not align with normal administrative behavior. Detect remote file writes followed by execution of transferred binaries.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2be739494c13… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0516Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.