AN1064: Analytic 1064
Correlates script execution or suspicious parent processes with creation or modification of encoded, compressed, or encrypted file formats (e.g., .zip, .7z, .enc) and abnormal command-line syntax or PowerShell obfuscation.
Analyst context for executives and security teams
AN1064 is a Windows detection analytic focused on suspicious creation or modification of encoded, compressed, or encrypted files when tied to script execution, unusual parent processes, abnormal command-line syntax, or PowerShell obfuscation. For leaders, the value is not the file extension alone; it is whether the organization can spot potentially staged or concealed data and tooling before an incident escalates.
Executive priority
Prioritize this analytic where Windows endpoints are business-critical and where attackers hiding content in archives or encrypted files would complicate incident response, evidence collection, or containment decisions. Security leaders should ask whether endpoint, script, command-line, and file-creation telemetry are retained and correlated well enough to support SOC triage and post-incident audit evidence.
Technical view
SOC and detection teams should validate correlation on Windows between script execution or suspicious parent processes and creation/modification of file formats such as .zip, .7z, and .enc, especially when command lines are abnormal or PowerShell appears obfuscated. Because no ATT&CK tactic or relationship context is supplied, this should be treated as a behavior-level analytic that needs local tuning against known administrative scripts, backup jobs, compression utilities, and legitimate automation.
Likely telemetry
- Windows process creation events with parent/child process context
- Command-line arguments, including PowerShell invocation details
- Script execution telemetry where available
- File creation and file modification events
- File path, extension, user, host, and timestamp metadata
Detection direction
- Validate that process, command-line, script, and file telemetry can be joined by host, user, process lineage, and time window.
- Tune for suspicious parent processes and abnormal command-line patterns rather than alerting on archive or encrypted file creation alone.
- Review PowerShell logging coverage and whether obfuscation-like syntax is visible in collected telemetry.
- Suppress or baseline expected enterprise activity such as software packaging, backups, administrative compression, and legitimate encryption workflows.
- Because no official detection logic is provided, test candidate analytics against local benign activity before using them for high-severity alerting.
Mitigation priorities
- Ensure Windows endpoint logging captures process lineage, command-line details, script activity, and file creation/modification events needed for this analytic.
- Limit unnecessary script execution privileges and review where PowerShell or automation tools are permitted for standard users.
- Establish baselines for legitimate archive, compression, and encryption activity on sensitive systems.
- Document triage playbooks for suspicious archive or encrypted file creation tied to scripts, including user validation, host containment criteria, and evidence preservation.
- Use results to inform broader endpoint hardening and incident response readiness rather than treating this analytic as a standalone control.
Analyst notes and limits
The supplied object is a detection analytic only. It names Windows as the supported platform and describes correlation logic, but it does not provide ATT&CK tactics, a formal detection query, linked techniques, data components, mitigations, or relationship context. Local environment knowledge is required to determine severity and reduce false positives.
This take is limited to the official STIX fields, the MITRE external reference, and the absence of supplied relationships. It does not imply active exploitation, attribution, complete detection coverage, or applicability outside Windows.
Analytic 1064
Correlates script execution or suspicious parent processes with creation or modification of encoded, compressed, or encrypted file formats (e.g., .zip, .7z, .enc) and abnormal command-line syntax or PowerShell obfuscation.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4aa78efa5ab6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1064Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.