AN0630: Analytic 0630
Detects behavior where files with non-executable or misleading extensions (e.g., .jpg, .txt) are created or modified but subsequently executed as binaries based on internal file headers or abnormal parent process lineage. This includes identifying polyglot files or malformed magic bytes indicative of masquerading attempts.
Analyst context for executives and security teams
AN0630 is a Windows detection analytic focused on a practical evasion problem: files that look harmless by extension, such as .jpg or .txt, but are later executed as binaries or show suspicious internal file headers. For leaders, the value is not the filename trick itself; it is whether the organization can prove that endpoint and SOC telemetry can connect file creation or modification events to later execution behavior.
Executive priority
Prioritize this analytic as evidence of resilience against masquerading and weak file-trust assumptions. It helps security leaders ask whether Windows endpoint monitoring can detect when business users, scripts, or processes execute content that does not match its apparent file type. This is relevant to incident triage, compliance evidence for monitoring controls, and control decisions around endpoint visibility, application control, and investigation readiness.
Technical view
Validate on Windows telemetry that file creation or modification events can be correlated with later process execution. The analytic depends on identifying mismatches between file extension and executable content, suspicious magic bytes or internal file headers, polyglot or malformed files, and abnormal parent process lineage. Because no official ATT&CK detection logic is supplied, SOC teams should treat this as a detection design requirement rather than a ready rule.
Likely telemetry
- Windows process creation telemetry, including command line, image path, parent process, and user context
- File creation and file modification events with full path, extension, hashes, and timestamps
- File metadata or content-inspection results that expose magic bytes, internal headers, or executable file type
- Endpoint security or EDR events that link file write activity to subsequent process execution
- Alert and investigation context for unusual parent-child process relationships
Detection direction
- Confirm telemetry can correlate the same file from creation or modification through later execution.
- Tune for extension-to-content mismatch, such as non-executable or misleading extensions whose headers indicate executable content.
- Review parent process lineage for unusual launch chains rather than relying only on file extension or filename.
- Account for benign false positives from administrative tools, test harnesses, packaging tools, or security research activity that may create unusual file/header combinations.
- Identify blind spots where file content inspection, process lineage, or historical file-write context is missing.
Mitigation priorities
- Ensure Windows endpoint logging and EDR coverage captures both file activity and process execution context.
- Use application control or execution policy controls where appropriate to reduce execution of untrusted or misleadingly named files.
- Harden investigation playbooks so analysts verify file headers, hashes, parent processes, and user context during triage.
- Preserve endpoint evidence needed to link file write events to execution events for incident response and audit support.
- Review exceptions carefully so business workflows do not normalize execution from misleading file types without documented justification.
Analyst notes and limits
This object is a detection analytic, not a technique, and no tactic mapping or relationship context was supplied. The most important defensive question is whether local telemetry can prove a mismatch between appearance, content, and execution behavior on Windows systems.
The official detection field is not provided, and there are no supplied relationships to techniques, software, groups, or mitigations. This take therefore avoids claims about adversary use, active exploitation, or guaranteed coverage. Local validation is required to determine whether the analytic is feasible with existing endpoint telemetry.
Analytic 0630
Detects behavior where files with non-executable or misleading extensions (e.g., .jpg, .txt) are created or modified but subsequently executed as binaries based on internal file headers or abnormal parent process lineage. This includes identifying polyglot files or malformed magic bytes indicative of masquerading attempts.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 22fca64855b3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0630Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.