AN0540: Analytic 0540
Detection of known tools or malware flagged by antivirus, followed by a near-term drop of a similar binary with modified signature and resumed activity (execution, C2, or persistence).
Analyst context for executives and security teams
AN0540 describes a Windows-focused detection analytic for a common defender problem: antivirus flags a known tool or malware, but shortly afterward a similar binary appears with a changed signature and activity resumes. For security leaders, the value is not the initial antivirus alert alone; it is whether the SOC can recognize rapid retooling or repackaging after a block and treat the follow-on activity as part of the same incident.
Executive priority
Prioritize this analytic where business resilience depends on quickly confirming whether containment worked. A single malware or tool detection may look closed, but a near-term modified binary with renewed execution, command-and-control, or persistence can indicate the adversary or toolset adapted around the control. Leaders should ask whether endpoint security, SOC workflows, and incident response playbooks correlate antivirus detections with subsequent file creation, execution, persistence, and network activity on the same Windows host or identity context.
Technical view
Validate the ability to correlate antivirus detections of known tools or malware with near-term drops of similar binaries and resumed activity on Windows. Since the official object provides no detection logic, teams should define local correlation windows, similarity criteria, and activity triggers. Useful validation points include: whether the original alert, the later binary event, and follow-on execution/C2/persistence evidence can be linked into one case; whether benign software updates or security tool remediation actions create false positives; and whether alert triage distinguishes a blocked event from a failed containment scenario.
Likely telemetry
- Antivirus or endpoint protection detections for known tools or malware on Windows
- File creation or binary drop events after the initial detection
- Process execution telemetry for the newly dropped or modified binary
- Network connection telemetry that could indicate resumed command-and-control activity
- Persistence-related telemetry such as service, scheduled task, startup, or registry changes where collected
Detection direction
- Correlate initial antivirus detections with subsequent similar binary drops on the same Windows host or related user context.
- Tune correlation timing carefully: too short may miss delayed retries; too long may produce unrelated matches.
- Define what counts as a “similar binary” using available local evidence, such as filename patterns, path reuse, hash changes, signer metadata, size, or behavioral similarity, without relying on one attribute alone.
- Escalate when the later binary is followed by execution, C2-like network activity, or persistence evidence.
- Review false positives from legitimate software updates, quarantined-file restoration, endpoint remediation activity, and security testing tools.
Mitigation priorities
- Ensure antivirus and endpoint protection alerts are integrated into SOC correlation and incident response workflows rather than handled as isolated events.
- Strengthen endpoint containment procedures so a malware/tool detection triggers validation for follow-on execution, persistence, and network activity.
- Maintain collection of Windows endpoint telemetry needed to connect file drops, process activity, and security product alerts.
- Use incident response playbooks that require analysts to verify whether a modified binary appeared after the initial detection before closing the case.
- Use findings from repeated modified-binary events to inform control tuning, hardening priorities, and executive reporting on containment effectiveness.
Analyst notes and limits
This object is a detection analytic, not a technique or procedure. It is scoped to Windows and describes a behavior pattern: antivirus detection followed by a near-term modified binary and resumed activity. No ATT&CK tactics, relationships, or official detection logic were supplied, so implementation must be based on local telemetry, correlation capability, and incident response requirements.
The supplied ATT&CK fields do not provide analytic logic, data components, relationship context, adversary attribution, impact details, or evidence of active exploitation. Coverage and priority should be validated against the organization’s Windows endpoint visibility, endpoint protection configuration, and SOC correlation rules.
Analytic 0540
Detection of known tools or malware flagged by antivirus, followed by a near-term drop of a similar binary with modified signature and resumed activity (execution, C2, or persistence).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f9761dcecba4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0540Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.