AN0602: Analytic 0602
High-frequency file write operations using uncommon extensions, followed by ransom note creation, registry tampering, or shadow copy deletion. Often uses CLI tools like vssadmin, wbadmin, cipher, or PowerShell.
Analyst context for executives and security teams
This analytic is about spotting ransomware-like file system behavior on Windows: many rapid file writes with unusual extensions, followed by signs such as ransom note creation, registry tampering, or shadow copy deletion. Its business value is early recognition of activity that can threaten continuity and recovery, especially before backup options are weakened or encrypted data spreads further.
Executive priority
Prioritize this as a resilience and incident-decision analytic, not just a malware alert. Leaders should ask whether Windows endpoints and servers generate enough file, process, registry, and backup-related telemetry to prove this behavior would be seen quickly, and whether response teams have authority to isolate affected systems when these signals appear together. It is especially relevant to backup recoverability, SOC readiness, and evidence for ransomware preparedness exercises.
Technical view
For Windows environments, validate whether the SOC can correlate high-frequency file write activity using uncommon extensions with follow-on indicators such as ransom note creation, registry changes, or shadow copy deletion. The supplied analytic description also names CLI tools commonly associated with recovery disruption or bulk operations: vssadmin, wbadmin, cipher, and PowerShell. Because no official detection logic is provided, teams should treat this as a detection design requirement and test correlation quality, timing, and false-positive handling in their own telemetry stack.
Likely telemetry
- Windows endpoint file write/create/rename events, including file extension and write frequency where available
- Process creation telemetry for command-line tools such as vssadmin, wbadmin, cipher, and PowerShell
- Command-line arguments for Windows process executions
- Registry modification events
- Shadow copy or backup-related administrative events
Detection direction
- Validate correlation across multiple behaviors rather than alerting only on one event, because high-volume file writes or administrative tools can be legitimate in isolation.
- Baseline expected high-frequency file operations from backup agents, software deployment tools, data processing jobs, compression utilities, and administrative scripts to reduce false positives.
- Tune for uncommon or newly appearing file extensions at scale, especially when followed by note creation, registry tampering, or shadow copy deletion.
- Confirm that process telemetry includes full command lines for vssadmin, wbadmin, cipher, and PowerShell executions on Windows systems.
- Test whether detection latency is short enough to support containment decisions before widespread data modification or recovery impairment.
Mitigation priorities
- Ensure critical Windows systems have endpoint monitoring capable of capturing file, process, registry, and backup-related events needed for this analytic.
- Harden and monitor administrative access to backup and recovery functions, including shadow copy management.
- Review least-privilege controls for users and service accounts that can modify large volumes of files or alter recovery settings.
- Maintain offline, immutable, or otherwise protected backups and validate restore procedures through exercises.
- Create incident response playbooks for rapid triage and isolation when mass file modification and recovery-disruption signals are observed together.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique, and it has no tactics or relationships supplied. The description supports ransomware-behavior-oriented defensive validation on Windows, centered on mass file writes, uncommon extensions, ransom note creation, registry tampering, shadow copy deletion, and related command-line tools.
Official detection logic is not provided, and no relationship context is supplied. This take does not assert active exploitation, attribution, impact, or existing coverage. Local telemetry availability, baselines, and response procedures are required to determine whether the analytic is effective in a specific environment.
Analytic 0602
High-frequency file write operations using uncommon extensions, followed by ransom note creation, registry tampering, or shadow copy deletion. Often uses CLI tools like vssadmin, wbadmin, cipher, or PowerShell.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 018f84eeff9d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0602Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.