AN0949: Analytic 0949

Monitors for unexpected modifications of system or application binaries, particularly signed executables. Correlates file write events with subsequent unsigned or anomalously signed process execution, and checks for tampered binaries outside normal patch cycles.

EnterpriseAN0949AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

AN0949 is a Windows-focused detection analytic for spotting possible tampering with system or application binaries, especially signed executables. Its business value is in validating whether trusted software can still be trusted: if a binary is unexpectedly modified and then executed unsigned or with an unusual signature, SOC and IR teams need fast evidence to decide whether this is normal maintenance, a failed patching process, or a potential compromise path.

Executive priority

Prioritize this analytic where Windows servers, workstations, or critical applications depend on trusted signed binaries for operational continuity and audit assurance. Leaders should ask whether the organization can prove when important binaries change, whether those changes align with approved patch cycles, and whether execution of unsigned or anomalously signed software would generate timely investigation. This supports incident decision-making, compliance evidence around change control, and resilience against integrity loss in trusted software paths.

Technical view

For Windows environments, validate collection and correlation of file write activity against system and application binary locations, followed by process execution telemetry and signature status. The analytic depends on distinguishing expected patch or software update behavior from unexpected binary modification, then checking whether the modified binary later runs unsigned or with anomalous signing characteristics. Because no ATT&CK tactic or relationship context is supplied, implementation should remain behavior-centric rather than mapped to a specific adversary objective.

Likely telemetry

Windows file write or file modification events for system and application executable paths
Process execution events following binary modification
Executable code-signing metadata, including signed, unsigned, and anomalously signed status
Software update, patch management, or change-control records to establish normal patch cycles
File path, hash, timestamp, parent process, user, and host context for correlation and triage

Detection direction

Confirm that file modification telemetry is available for important Windows system and application binary locations, not only for user directories.
Correlate modified executable files with subsequent process execution rather than alerting on writes alone.
Tune against approved software updates and normal patch cycles to reduce false positives.
Investigate unsigned or anomalously signed execution after a binary write as higher-priority context.
Validate whether signature metadata is captured consistently; without it, the analytic loses much of its decision value.

Mitigation priorities

Maintain reliable patch and change-management records so defenders can distinguish approved binary changes from unexpected tampering.
Ensure Windows endpoint logging or EDR coverage captures file writes, process execution, and signature metadata for relevant binaries.
Prioritize monitoring on critical servers, privileged administration tools, and business-critical applications before expanding broadly.
Review controls that restrict unauthorized modification of protected system and application directories.
Establish IR playbooks for verifying binary integrity, signer status, hash history, and recent maintenance activity when this analytic fires.

Analyst notes and limits

This is a detection analytic, not a technique object. The supplied ATT&CK fields identify Windows as the platform and describe monitoring for unexpected binary modification with later unsigned or anomalously signed execution. No tactics, relationships, aliases, labels, or official detection logic were provided, so the take focuses on practical validation requirements and operational use rather than specific adversary procedures.

Coverage depends on local telemetry quality, signature parsing, baseline knowledge of normal patch cycles, and access to change-control data. The source object does not provide concrete event IDs, query logic, product-specific fields, related techniques, or attacker attribution. It should not be treated as proof of compromise without local investigation.

Official MITRE ATT&CK definition

Analytic 0949

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: beeb86015086bddd...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`beeb86015086…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0949
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use