Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0797: Analytic 0797

Cause→effect chain: (1) A client app (browser, Office, PDF/Flash/reader) experiences a crash/abnormal exit or loads from an unusual location, then (2) drops or modifies a file in user-writable paths, and/or (3) spawns an unexpected child (e.g., powershell/cmd/mshta/rundll32/wscript/installer), and (4) establishes outbound C2-like connections shortly after. Correlate application logs, file writes, process lineage, and network egress within a short window.

EnterpriseAN0797AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN0797 is a Windows detection analytic for spotting a suspicious chain that can follow client-side compromise: a browser, Office, PDF/Flash/reader-type application crashes, exits abnormally, or runs from an unusual location, then writes to user-writable paths, launches unexpected tooling such as PowerShell, cmd, mshta, rundll32, wscript, or an installer, and soon after makes outbound network connections. For leaders, the value is not any single event; it is whether the SOC can correlate endpoint, file, process, and egress evidence quickly enough to separate normal application instability from a potential intrusion path.

Executive priority

Prioritize this analytic as a resilience and incident-readiness validation for Windows endpoints. It tests whether security operations can connect user-facing application failures to suspicious post-crash behavior and outbound connectivity. The business question is: if a commonly used client application becomes the starting point for compromise, can the organization prove it has the telemetry, correlation logic, and response process to identify and contain it before the activity becomes broader?

Technical view

Validate correlation across a short time window on Windows: application crash or abnormal exit events, application execution from unusual locations, file drops or modifications in user-writable paths, suspicious child process lineage from client applications, and outbound network egress shortly afterward. Detection engineering should focus on parent-child process relationships involving browsers, Office, PDF/Flash/reader applications spawning command shells, script hosts, rundll32, mshta, PowerShell, or installers, especially when paired with recent file writes and external connections. Because no ATT&CK tactic or relationship context is supplied, treat this as a behavior-chain analytic rather than a standalone technique mapping.

Likely telemetry

  • Windows application crash or abnormal-exit logs
  • Endpoint process creation telemetry with parent-child lineage
  • File creation and modification telemetry for user-writable paths
  • Application execution path and image-location data
  • Network egress telemetry from endpoint, EDR, proxy, firewall, or DNS sources

Detection direction

  • Confirm the SOC can correlate the full cause-and-effect chain rather than alerting only on isolated child processes or network connections.
  • Tune around known enterprise software update, installer, browser helper, Office automation, and document-handling workflows that may legitimately create child processes or write to user paths.
  • Prioritize higher-confidence cases where multiple elements occur close together: abnormal client-app behavior, file write in a user-writable location, unexpected child process, and outbound connection.
  • Review blind spots where endpoint agents do not capture application crashes, command-line details, process ancestry, file writes, or per-process network connections.
  • Because official detection text is not provided beyond the analytic description, validate thresholds, time windows, and allowlists against local Windows endpoint behavior.

Mitigation priorities

  • Ensure Windows endpoint logging or EDR coverage captures process lineage, file writes, application crashes, and network egress with timestamps suitable for correlation.
  • Harden and monitor user-facing client applications, especially browsers, Office, and document readers, with attention to abnormal exits and unusual execution locations.
  • Restrict or closely monitor script interpreters, command shells, installer execution, and living-off-the-land utilities when spawned by client applications.
  • Apply egress monitoring controls so outbound connections from unexpected child processes are visible and triageable.
  • Document the analytic as compliance and incident-response evidence showing that suspicious client-application-to-egress behavior is monitored and investigated.
Analyst notes and limits

This take is based only on the supplied ATT&CK analytic fields for AN0797. The strongest operational use is as a correlation test across Windows endpoint and network data. It should be implemented with local baselining because enterprise software, plugins, document workflows, and update mechanisms may produce partial matches.

No official detection field, tactics, relationships, aliases, or related techniques were supplied. The object supports Windows only. The analytic describes C2-like outbound connections but does not by itself establish malware, attribution, active exploitation, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Analytic 0797

Cause→effect chain: (1) A client app (browser, Office, PDF/Flash/reader) experiences a crash/abnormal exit or loads from an unusual location, then (2) drops or modifies a file in user-writable paths, and/or (3) spawns an unexpected child (e.g., powershell/cmd/mshta/rundll32/wscript/installer), and (4) establishes outbound C2-like connections shortly after. Correlate application logs, file writes, process lineage, and network egress within a short window.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
da135ba5a8d80f3d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle da135ba5a8d8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0797
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use