AN1108: Analytic 1108
Unexpected file creation in web directories followed by web server processes (e.g., w3wp.exe) spawning command shells or script interpreters (e.g., cmd.exe, powershell.exe)
Analyst context for executives and security teams
This analytic matters because it focuses on a high-risk Windows web server pattern: a new or unexpected file appears in a web directory, and a web server process such as w3wp.exe later starts a command shell or script interpreter such as cmd.exe or powershell.exe. For leaders, the decision value is whether web-facing Windows systems have enough endpoint and file telemetry to quickly distinguish normal application activity from behavior that may require urgent containment and incident response.
Executive priority
Prioritize this as a coverage-validation item for Windows web servers, especially systems supporting business-critical applications. The key executive question is not whether this analytic alone proves compromise, but whether the organization can reliably see and investigate the sequence it describes: unexpected file creation in web directories followed by shell or script execution from the web server process. This supports operational resilience, IR readiness, and audit evidence around monitoring of externally exposed application infrastructure.
Technical view
SOC and detection teams should validate visibility for Windows file creation in web directories and process creation lineage where web server processes, specifically examples like w3wp.exe, spawn cmd.exe, powershell.exe, or other script interpreters. Because no official detection logic is supplied, teams should build or tune correlation around sequence, parent-child process relationships, command-line context, file path, user context, and timing. Baseline legitimate deployment, maintenance, and application behaviors before escalating broadly.
Likely telemetry
- Windows endpoint process creation events with parent-child process lineage
- Command-line telemetry for cmd.exe, powershell.exe, and script interpreters spawned by web server processes
- File creation or file integrity monitoring events for web directories
- Web server process identity and host context, including examples such as w3wp.exe
- Change-management or deployment records to distinguish expected web content updates from unexpected file creation
Detection direction
- Validate that Windows web servers generate both file creation telemetry for web directories and process creation telemetry with parent process details.
- Correlate unexpected file creation in web directories with subsequent web server process spawning of command shells or script interpreters.
- Tune for known administrative, deployment, backup, or application maintenance activity to reduce false positives.
- Treat missing command-line, parent process, or web directory file telemetry as a material blind spot for this analytic.
- Because tactics and relationships are not supplied, avoid over-mapping this analytic to a specific ATT&CK technique without additional local or ATT&CK context.
Mitigation priorities
- Inventory Windows web servers and identify the authoritative web directories that should be monitored.
- Ensure endpoint logging or file integrity monitoring captures file creation in those directories.
- Ensure process monitoring captures parent-child relationships and command lines for web server processes.
- Restrict and review administrative pathways that can write to web directories, using least privilege and change control where applicable.
- Prepare incident response triage steps for hosts where this sequence appears, including validation against approved deployment activity.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique, and provides a concise behavioral description but no official detection logic, tactics, or relationship context. The analytic is strongest when used as a validation pattern for Windows web server monitoring and triage workflow readiness.
This take is limited to the official fields provided. It does not establish active exploitation, attribution, impact, or guaranteed detection. Local knowledge of web server roles, application deployment behavior, monitored directories, and logging quality is required to assess severity and reduce false positives.
Analytic 1108
Unexpected file creation in web directories followed by web server processes (e.g., w3wp.exe) spawning command shells or script interpreters (e.g., cmd.exe, powershell.exe)
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1097a479cbef… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1108Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.