AN0651: Analytic 0651
Detect the creation or modification of common media file formats (e.g., .jpg, .png, .wav) following suspicious process activity like compression or encryption, especially when paired with lateral movement or exfiltration behavior.
Analyst context for executives and security teams
This analytic is relevant because unusual creation or modification of common media files on Windows, especially after suspicious compression or encryption activity, can be a weak but useful signal of staging, concealment, or preparation for data movement. For leaders, the value is not the file extension itself; it is whether the organization can correlate endpoint file activity with process behavior, lateral movement indicators, and possible exfiltration evidence quickly enough to support incident decisions.
Executive priority
Treat this as a coverage and correlation question for SOC and incident response readiness. Executives should ask whether Windows endpoint telemetry can show when media files are created or changed by unusual processes, whether that activity can be tied to compression/encryption behavior, and whether the SOC can connect it with lateral movement or exfiltration signals. This helps prioritize logging, endpoint visibility, and investigation workflows rather than relying on a single alert type that may be noisy.
Technical view
On Windows, validate the ability to detect creation or modification of common media file formats such as .jpg, .png, and .wav after suspicious process activity involving compression or encryption. Because no ATT&CK tactic or detailed detection logic is supplied, this should be implemented as a correlation analytic rather than a standalone extension match. SOC teams should tune around process lineage, timing, user context, host role, volume of file changes, and co-occurring lateral movement or exfiltration behavior where available.
Likely telemetry
- Windows endpoint file creation and modification events
- Process execution and process lineage telemetry
- Command-line or process metadata related to compression or encryption utilities
- User, host, and timestamp context for affected files
- Network, authentication, or endpoint signals that may indicate lateral movement
Detection direction
- Do not alert solely on creation of .jpg, .png, .wav, or similar files; validate suspicious parent process, sequence, volume, and timing.
- Correlate media file changes with preceding compression or encryption activity on the same host or user session.
- Increase priority when the same investigation also includes lateral movement or exfiltration-related telemetry, as described by the analytic.
- Tune expected business workflows such as media production, image processing, audio tools, backups, and legitimate archiving to reduce false positives.
- Confirm whether endpoint logging captures file modification events, not just process creation, because missing file telemetry is a likely blind spot.
Mitigation priorities
- Prioritize endpoint telemetry coverage on Windows systems where sensitive data is handled.
- Ensure SOC workflows can correlate file activity, process behavior, authentication, and network transfer evidence during investigations.
- Review control coverage for unauthorized compression, encryption, and unusual file transformation activity in high-risk environments.
- Use allowlisting or policy controls where appropriate for approved compression, encryption, and media-processing tools, while monitoring exceptions.
- Maintain incident response playbooks that guide analysts from suspicious file activity to host containment, scoping, and evidence preservation decisions.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique, and it has no relationship context, no specified tactic, and no official detection logic beyond the description. The strongest use is as a prompt to validate correlation coverage across Windows file, process, lateral movement, and exfiltration telemetry.
This take is limited to the official fields provided. It does not establish adversary attribution, active exploitation, business impact, or guaranteed detection. Local baselining is required because common media file creation is frequent in many environments and can produce substantial false positives without process and behavioral context.
Analytic 0651
Detect the creation or modification of common media file formats (e.g., .jpg, .png, .wav) following suspicious process activity like compression or encryption, especially when paired with lateral movement or exfiltration behavior.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | fc003c4011c8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0651Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.