Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0872: Analytic 0872

Detection of browser-based or email client-driven file creation (often from temp directories) following navigation to or execution of HTML files containing JavaScript Blob APIs or base64 Data URLs, with follow-on execution of the dropped payload. Leveraging Sysmon EventID 15 to inspect Zone.Identifier ADS for HostUrl/ReferrerUrl indicators (e.g., HostUrl=about:internet). Optional: absence of a large HTTP download record for the same URL/client in proxy logs (suggests local assembly)

EnterpriseAN0872AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it focuses on a common defensive gap: files assembled locally by a browser or email client from HTML/JavaScript content, rather than downloaded as a normal large HTTP file. For leaders, the practical issue is whether endpoint, web, and email telemetry can prove how an unexpected payload appeared and executed on a Windows host, especially when proxy logs alone may not show a clear download event.

Executive priority

Prioritize this as a validation point for Windows endpoint visibility and incident response readiness. The business question is not simply “can we block downloads,” but “can we reconstruct browser/email-driven file creation, origin metadata, and follow-on execution when a payload is created from local web content?” This supports faster containment decisions, stronger audit evidence, and more realistic SOC coverage assessment for user-driven initial execution paths.

Technical view

For SOC and detection engineering teams, validate whether Windows endpoints collect Sysmon Event ID 15 or equivalent evidence that captures Zone.Identifier alternate data stream details, especially HostUrl and ReferrerUrl values such as HostUrl=about:internet. Correlate browser or email-client activity, navigation to or execution of HTML files, file creation from temporary locations, and subsequent process execution of the created payload. Where proxy logs are available, compare endpoint evidence against the absence of a corresponding large HTTP download for the same URL/client to identify cases where content may have been assembled locally rather than transferred as a conventional file download.

Likely telemetry

  • Windows endpoint file creation events
  • Sysmon Event ID 15 or equivalent Zone.Identifier alternate data stream telemetry
  • HostUrl and ReferrerUrl metadata from Mark-of-the-Web/Zone.Identifier records
  • Browser and email client process activity
  • Process creation telemetry showing execution of the dropped file

Detection direction

  • Validate collection and parsing of Zone.Identifier ADS fields, not just standard file creation or process execution logs.
  • Tune correlation around browser or email-client-driven file creation followed by execution, particularly when the file originates from temporary directories.
  • Use proxy logs as context: absence of a large matching HTTP download can strengthen suspicion, but should not be treated as proof by itself.
  • Account for benign browser, email, installer, and document workflow behavior that may create files with web-origin metadata.
  • Because no tactic or relationship context is supplied, map this analytic locally to the relevant incident scenarios and ATT&CK techniques used in your detection program.

Mitigation priorities

  • Ensure Windows endpoint logging is configured to preserve file-origin metadata needed for investigation.
  • Harden user execution paths by reviewing controls around browser/email attachment handling, temporary directory execution, and script/content handling where applicable.
  • Confirm SOC playbooks include triage steps for Zone.Identifier HostUrl/ReferrerUrl review and correlation with proxy records.
  • Use findings from this analytic to prioritize gaps in endpoint telemetry, web/email logging retention, and incident reconstruction capability rather than relying on proxy visibility alone.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Windows focused on browser-based or email client-driven file creation using HTML content with JavaScript Blob APIs or base64 Data URLs, followed by execution of the dropped payload. The strongest decision value is in validating whether endpoint telemetry can expose file origin and local assembly behavior that may not appear as a conventional web download.

No official detection logic, tactics, technique relationships, adversary relationships, or mitigation mappings were supplied. This take is therefore limited to the official description, platform, external reference, and object metadata. Local baselining is required to separate suspicious behavior from legitimate browser, email, installer, or document workflows.

Official MITRE ATT&CK definition

Analytic 0872

Detection of browser-based or email client-driven file creation (often from temp directories) following navigation to or execution of HTML files containing JavaScript Blob APIs or base64 Data URLs, with follow-on execution of the dropped payload. Leveraging Sysmon EventID 15 to inspect Zone.Identifier ADS for HostUrl/ReferrerUrl indicators (e.g., HostUrl=about:internet). Optional: absence of a large HTTP download record for the same URL/client in proxy logs (suggests local assembly)

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
81028ee1332c803f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 81028ee1332c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0872
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use