AN0712: Analytic 0712

Detects extraction or mounting of container/archive files (e.g., .iso, .vhd, .zip) that originated from the Internet but whose contained files lack Zone.Identifier MOTW tagging. Correlates file creation metadata with subsequent execution of unsigned or untrusted binaries launched outside SmartScreen or Protected View.

EnterpriseAN0712AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

This analytic matters because Internet-delivered archives and disk images can break expected Windows safety signals: the outer file may have Mark-of-the-Web context, while extracted or mounted contents may not. For leaders, the practical issue is whether security controls and SOC workflows can still recognize untrusted software when user-facing protections such as SmartScreen or Protected View are not in the execution path.

Executive priority

Prioritize this as a Windows endpoint and user-risk validation item. It supports decisions around endpoint telemetry quality, managed detection coverage, incident response triage, and audit evidence for handling untrusted Internet-sourced content. Executives should ask whether the organization can prove it collects file origin, archive or container handling, code trust, and process execution evidence well enough to investigate this behavior.

Technical view

For SOC and detection engineering, validate correlation across three evidence points: creation or download of Internet-originated container/archive files such as .iso, .vhd, or .zip; extraction or mounting activity where contained files lack Zone.Identifier Mark-of-the-Web tagging; and later execution of unsigned or untrusted binaries outside SmartScreen or Protected View. Because no official detection logic is supplied, implementation should be environment-specific and carefully tested for normal software distribution, admin tooling, and helpdesk workflows.

Likely telemetry

Windows file creation metadata, including file path, extension, timestamps, and origin indicators where available
Zone.Identifier / Mark-of-the-Web alternate data stream presence or absence for downloaded files and extracted contents
Archive extraction and disk image mounting events involving .iso, .vhd, .zip, or similar container formats
Process execution telemetry for binaries launched from extracted or mounted locations
Code signing or trust metadata for executed binaries

Detection direction

Confirm that endpoint telemetry preserves Mark-of-the-Web context for both the container/archive and the resulting files.
Tune correlation to focus on Internet-originated containers followed by execution of unsigned or untrusted binaries, rather than archive extraction alone.
Review false positives from legitimate software installers, developer workflows, IT administration packages, and business-approved compressed downloads.
Validate visibility into mounted image paths and extracted temporary directories, which are common collection blind spots.
Use this analytic as a coverage test for Windows endpoint logging and managed detection workflows rather than assuming the ATT&CK object provides ready-to-deploy logic.

Mitigation priorities

Strengthen controls and user guidance for handling Internet-downloaded archives and disk images on Windows.
Ensure endpoint protection and application control policies evaluate binaries executed from extracted or mounted locations, not only from browsers or email viewers.
Preserve and monitor file origin metadata where feasible so IR teams can reconstruct whether content came from the Internet.
Reduce reliance on a single protection layer such as SmartScreen or Protected View by validating downstream execution controls and alerting.
Document telemetry and control coverage as compliance or audit evidence for untrusted content handling.

Analyst notes and limits

This object is a detection analytic for Windows in the enterprise ATT&CK domain. The supplied ATT&CK fields describe the analytic intent but do not include formal detection logic, tactics, relationships, procedures, or mitigations. The strongest use is as a validation prompt for endpoint telemetry correlation and SOC triage readiness.

No relationship context, official detection implementation, tactics, threat actor linkage, or exploitation claims were supplied. Local logging configuration, endpoint control behavior, and business software distribution practices are required to determine practical coverage and alert quality.

Official MITRE ATT&CK definition

Analytic 0712

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: 80b17babf418e58c...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`80b17babf418…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0712
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use