AN1070: Analytic 1070
Adversaries collecting local files via PowerShell, WMI, or direct file API calls often include recursive file listings, targeted file reads, and temporary file staging.
Analyst context for executives and security teams
Analytic 1070 is about recognizing when local Windows files may be collected through PowerShell, WMI, or direct file API activity. For leaders, the practical issue is not the tool choice; it is whether the organization can see unusual recursive file listing, targeted reads, and temporary staging before data is moved elsewhere or an incident investigation loses context.
Executive priority
Treat this as a validation point for endpoint and SOC readiness on Windows systems. If business-critical documents, regulated data, credentials, or operational files reside on endpoints or file servers, leaders should ask whether monitoring can distinguish normal administrative access from suspicious bulk discovery, targeted file reads, and staging behavior. This supports incident response scoping, compliance evidence for data access monitoring, and control prioritization around PowerShell/WMI governance and endpoint telemetry.
Technical view
The supplied ATT&CK analytic is Windows-focused and describes local file collection patterns involving PowerShell, WMI, or direct file API calls. SOC and detection teams should validate whether their endpoint telemetry captures recursive directory enumeration, file read/open events for sensitive paths, script or command activity involving PowerShell and WMI, and creation of temporary staging files or archives. Because no official detection logic is provided and no relationships are supplied, teams should map this analytic to local log sources, approved administrative workflows, and known business applications before alerting.
Likely telemetry
- Windows process creation and command-line telemetry for PowerShell and WMI-related activity
- PowerShell script block, module, or operational logs where enabled
- WMI activity logs or EDR telemetry showing WMI execution or file access context
- Endpoint file system telemetry for recursive listings, targeted reads, file opens, copies, and temporary file creation
- EDR events linking process lineage to file access and staging behavior
Detection direction
- Validate visibility into PowerShell, WMI, and direct process-to-file interactions on Windows endpoints.
- Look for combinations of recursive file enumeration, targeted reads of sensitive locations, and creation of temporary staging files rather than relying on a single event type.
- Tune against legitimate administrative scripts, backup tools, indexing services, software deployment activity, and user-driven bulk file operations to reduce false positives.
- Prioritize correlation by user, host, process lineage, path sensitivity, volume of files touched, and timing outside normal business or maintenance windows.
- Identify blind spots where file access auditing, PowerShell logging, WMI visibility, or EDR file telemetry is disabled, sampled, or unavailable.
Mitigation priorities
- Inventory where sensitive local files are stored on Windows endpoints and file servers, then reduce unnecessary local data retention where possible.
- Apply least privilege so users and service accounts cannot broadly read sensitive directories without business need.
- Harden and monitor PowerShell and WMI usage according to approved administrative patterns.
- Ensure endpoint logging and EDR policies preserve enough process, command, and file activity context for incident response.
- Use tested IR playbooks for suspected local file collection, including host containment decisions, data access scoping, and preservation of relevant endpoint evidence.
Analyst notes and limits
This object is a detection analytic, not a full ATT&CK technique entry. The useful defensive value is in validating whether local file collection behavior can be reconstructed from Windows telemetry. The absence of supplied tactics, detection logic, and relationships means local environment baselining is required before operationalizing alerts.
Official detection content was not provided, and no relationship context was supplied. This take is limited to the official description, Windows platform field, and external reference for AN1070. It does not establish adversary attribution, active exploitation, impact, or guaranteed detection coverage.
Analytic 1070
Adversaries collecting local files via PowerShell, WMI, or direct file API calls often include recursive file listings, targeted file reads, and temporary file staging.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6abb66df947c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1070Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.