Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0913: Analytic 0913

Detects the presence of executables with high NOP padding, unusually large binary size for their function, and follow-on execution or memory injection from such files, especially when originating from temp or user-space paths.

EnterpriseAN0913AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN0913 is a Windows-focused detection analytic for suspicious executables that appear padded with large amounts of NOP instructions, have an unusually large size for their apparent purpose, and then execute or inject into memory, especially from temporary or user-writable locations. For leaders, the value is not the padding detail itself; it is that unusual binary structure plus execution behavior can help surface malware or evasive tooling that may not be caught by simple filename, hash, or path-based controls.

Executive priority

Treat this as a coverage-validation item for endpoint detection and incident response readiness on Windows. The business question is whether the organization can recognize suspicious executable characteristics and correlate them with follow-on execution or memory injection from high-risk locations such as temp and user-space paths. This can inform endpoint telemetry investment, malware triage procedures, and evidence quality for audit or incident review, but the supplied ATT&CK object does not specify a tactic, associated threat, or guaranteed detection method.

Technical view

SOC and detection engineering teams should validate whether endpoint telemetry and file-analysis pipelines can identify executables with high NOP padding, unusually large binary size relative to expected function, execution from temp or user-space paths, and subsequent memory injection or process execution activity. Because no official detection logic is provided, implementation should be tested against local baselines to avoid over-alerting on benign packed, padded, test, installer, or development binaries.

Likely telemetry

  • Windows endpoint file metadata and file path telemetry
  • Executable static-analysis features, including binary size and NOP padding indicators
  • Process creation telemetry for execution from temp or user-writable paths
  • Memory injection or suspicious process manipulation telemetry where available
  • File provenance or origin context showing creation, download, or staging location

Detection direction

  • Correlate static executable anomalies with behavior rather than alerting on large size or padding alone.
  • Prioritize cases where the executable runs from temp or user-space paths and is followed by execution chains or memory injection.
  • Build environment-specific baselines for legitimate large binaries, installers, development tools, and software distribution activity.
  • Validate that endpoint sensors retain enough file and process context to connect the suspicious file to later execution or injection behavior.
  • Because ATT&CK provides no official detection query for this analytic, document local logic, test data, and tuning assumptions.

Mitigation priorities

  • Ensure Windows endpoint visibility covers file creation, process execution, and memory-related behavioral events in user-writable locations.
  • Limit unnecessary execution from temporary and user-space directories where operationally feasible through application control or policy controls.
  • Strengthen malware triage workflows so suspicious binary structure can be reviewed alongside runtime behavior.
  • Use least privilege and controlled software installation practices to reduce opportunities for untrusted executables to stage and run from user paths.
  • Maintain response playbooks for isolating hosts and collecting suspicious executables when correlated execution or injection behavior is observed.
Analyst notes and limits

This take is based only on ATT&CK analytic AN0913 as supplied. The object is a detection analytic in the enterprise domain for Windows. It has no supplied tactic, no relationship context, and no official detection query. The strongest supported interpretation is a defensive analytic pattern combining suspicious executable structure, risky file location, and follow-on execution or memory injection behavior.

No active exploitation, attribution, malware family, technique relationship, or detection coverage claim is supported by the supplied fields. Local telemetry availability, endpoint sensor capability, file-analysis depth, and environmental baselines are required before this can be treated as operational detection coverage.

Official MITRE ATT&CK definition

Analytic 0913

Detects the presence of executables with high NOP padding, unusually large binary size for their function, and follow-on execution or memory injection from such files, especially when originating from temp or user-space paths.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
658ffc9646276fb4...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 658ffc964627…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0913
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use