Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0819: Analytic 0819

User opens a file delivered by email, web, chat, or share. The handler application (Word/PDF reader/archiver) creates a file in user-controlled paths (Downloads, Temp, Desktop) and then spawns a new or unusual child process (e.g., powershell.exe, wscript.exe, cmd.exe, regsvr32.exe, rundll32.exe, msiexec.exe). Optional precursors include FileStreamCreated (URL/UNC) and Office → system32 batch writes.

EnterpriseAN0819AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Analytic 0819 is useful because it focuses on a common early warning pattern: a user opens a file from email, web, chat, or a share, and the associated Windows application then creates content in user-writable locations and launches an unusual child process such as PowerShell, Windows Script Host, cmd, regsvr32, rundll32, or msiexec. For leaders, the decision value is whether the organization can reliably see and investigate risky document/archive/PDF handling before it becomes a broader endpoint or identity incident.

Executive priority

Prioritize this as a Windows endpoint and SOC readiness validation item. It helps test whether controls and telemetry can connect user-delivered files, user-controlled paths, and suspicious child-process execution into an actionable alert. This supports incident triage, audit evidence for endpoint monitoring, and business-continuity planning around phishing and user-file handling risks. Because ATT&CK provides no tactic mapping or official detection logic for this analytic, leadership should treat it as a coverage validation opportunity rather than proof of existing detection maturity.

Technical view

Validate whether Windows telemetry can correlate: the handler application that opened the user-delivered file, file creation in paths such as Downloads, Temp, or Desktop, and subsequent unusual child processes including powershell.exe, wscript.exe, cmd.exe, regsvr32.exe, rundll32.exe, or msiexec.exe. Where available, also review precursor evidence such as FileStreamCreated events involving URL or UNC context and Office processes writing batch files under system32. Detection engineering should define local baselines for expected child processes from Word, PDF readers, archive tools, and similar handlers, then tune for uncommon or risky parent-child combinations.

Likely telemetry

  • Windows process creation events with parent-child process relationships
  • File creation events in user-controlled paths such as Downloads, Temp, and Desktop
  • Application execution telemetry for Office, PDF readers, archive utilities, and similar file handlers
  • File stream or alternate data stream evidence, where collected, including URL or UNC context
  • Command-line, image path, user, working directory, and file path metadata for spawned processes

Detection direction

  • Confirm that endpoint logging preserves parent process, child process, command line, user, file path, and timestamp fields needed to reconstruct the sequence.
  • Build or validate correlation logic linking file-handler applications to file creation in user-controlled paths followed by unusual child processes.
  • Tune detections around locally common software behavior to reduce false positives from legitimate document workflows, software installers, archive extraction, and administrative tooling.
  • Pay special attention to suspicious child processes named in the ATT&CK description: powershell.exe, wscript.exe, cmd.exe, regsvr32.exe, rundll32.exe, and msiexec.exe.
  • Check for blind spots where file creation is logged but process lineage is not, or where endpoint tools do not capture file stream, URL, or UNC precursor context.

Mitigation priorities

  • Ensure Windows endpoint monitoring is enabled for process creation and file creation in user-writable paths.
  • Harden user-delivered file handling through least privilege, controlled script execution, and restrictions on high-risk child processes where operationally feasible.
  • Review email, web, chat, and file-share controls as upstream prevention layers for user-delivered files.
  • Use application control or attack-surface reduction-style policies where appropriate to limit Office, PDF, or archive-handler child process abuse.
  • Document telemetry coverage and alert triage procedures so SOC and incident response teams can prove readiness during audits and post-incident reviews.
Analyst notes and limits

This object is a detection analytic, not a technique. It is scoped to Windows and describes behavioral conditions rather than providing a formal detection query. The strongest practical use is as a validation checklist for endpoint telemetry quality, parent-child process analytics, and user-file execution triage.

No official detection logic, tactics, labels, aliases, or relationship context were supplied. The object does not support claims about active exploitation, specific adversaries, impact, or guaranteed detectability. Local software baselines and endpoint logging configuration are required to determine practical coverage and false-positive rates.

Official MITRE ATT&CK definition

Analytic 0819

User opens a file delivered by email, web, chat, or share. The handler application (Word/PDF reader/archiver) creates a file in user-controlled paths (Downloads, Temp, Desktop) and then spawns a new or unusual child process (e.g., powershell.exe, wscript.exe, cmd.exe, regsvr32.exe, rundll32.exe, msiexec.exe). Optional precursors include FileStreamCreated (URL/UNC) and Office → system32 batch writes.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
47652664e37b1cfc...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 47652664e37b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0819
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use