AN0992: Analytic 0992
Detect suspicious file creations and process executions triggered by browser activity (e.g., injected payloads written to %AppData% or Temp directories, then executed). Correlate network anomalies with subsequent local process creation or script execution.
Analyst context for executives and security teams
This analytic matters because it focuses on a common post-browser-execution pattern on Windows: browser activity is followed by suspicious file creation in user-writable locations such as AppData or Temp, and then process or script execution. For leaders, the value is not that any single browser event is malicious, but that endpoint, network, and process telemetry can be correlated quickly enough to distinguish routine browsing from activity that may require containment or incident response.
Executive priority
Prioritize this as a resilience and SOC-readiness validation item for Windows endpoints. Executives should ask whether the organization can connect network anomalies from browser activity to local file creation and execution evidence, and whether responders can use that chain as defensible incident evidence. The business decision is whether current endpoint logging, network visibility, and triage workflows are sufficient to reduce dwell time when suspicious browser-triggered execution occurs.
Technical view
SOC and detection teams should validate correlation coverage for Windows events where browser-related activity is followed by file creation in user-writable paths, especially AppData and Temp, and subsequent process or script execution. Because no official detection logic is provided, teams should treat AN0992 as a detection design requirement rather than a ready rule. The analytic should be tuned around parent/child process context, file path, file creation timing, script interpreter usage, and related network anomalies before or during execution.
Likely telemetry
- Windows process creation telemetry, including parent/child process relationships
- File creation telemetry for user-writable directories such as AppData and Temp
- Script execution telemetry where available
- Browser process activity on Windows endpoints
- Network telemetry showing anomalies correlated with browser activity
Detection direction
- Validate that browser-originated activity can be correlated with later file creation and execution on the same Windows endpoint.
- Tune for suspicious chains rather than isolated events to reduce false positives from normal downloads, installers, browser updates, and enterprise software deployment.
- Review coverage gaps where file creation events, command-line details, parent process data, or script execution logs are missing.
- Use time-windowed correlation between network anomalies and subsequent local execution, but confirm thresholds against normal business browsing and software workflows.
- Because no ATT&CK relationship context is supplied, avoid assuming a specific malware family, technique, campaign, or adversary behavior.
Mitigation priorities
- Ensure Windows endpoints collect the process, file, script, and network evidence needed for incident triage.
- Harden monitoring and response workflows for execution from user-writable locations such as AppData and Temp.
- Review endpoint controls that restrict or scrutinize script execution and unexpected process launches from browser-adjacent activity.
- Document the detection-to-response process so alerts can support containment decisions and compliance evidence.
- Use local baseline data to tune exceptions for legitimate browser downloads, updates, and approved software installation paths.
Analyst notes and limits
AN0992 is a detection analytic object for Windows with a description but no official detection implementation and no supplied ATT&CK relationships. Its practical value is as a validation prompt for endpoint and network correlation around suspicious browser-triggered file creation and execution.
The supplied object does not specify tactics, related techniques, data sources, detection pseudocode, mitigations, adversary use, or active exploitation. Any production rule, severity model, or control recommendation requires local telemetry, asset context, and environment-specific baselining.
Analytic 0992
Detect suspicious file creations and process executions triggered by browser activity (e.g., injected payloads written to %AppData% or Temp directories, then executed). Correlate network anomalies with subsequent local process creation or script execution.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | faaa801690ca… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0992Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.