Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1305: Analytic 1305

Windows-specific environmental keying behavioral chain: (1) Rapid system information discovery through multiple techniques (WMI queries, registry enumeration, network share discovery, hostname/domain checks), (2) Target validation through specific environmental artifact collection (AD domain membership, network topology, installed software versions), (3) Cryptographic operation correlation indicating payload decryption based on collected environmental values, (4) Subsequent malicious code execution following successful environmental validation, (5) Temporal clustering of discovery activities suggesting automated environmental assessment

EnterpriseAN1305AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic describes a Windows behavior pattern where malware or tooling appears to check whether it is in the “right” environment before decrypting or running code. For leaders, the significance is that these checks can help adversary tooling avoid sandboxes, delay discovery, and execute only on selected enterprise systems. The defensive value is not a single indicator, but whether security teams can correlate rapid host, domain, software, network, and cryptographic activity into one suspicious chain.

Executive priority

Prioritize this as a validation question for SOC and incident response readiness: can the organization see and correlate Windows discovery activity, environmental artifact collection, cryptographic operations, and subsequent execution close together in time? This matters for resilience because environment-keyed behavior can reduce the usefulness of isolated malware analysis and make incidents harder to confirm quickly. It also supports audit and control discussions around endpoint telemetry completeness, centralized logging, and investigation playbooks for suspicious discovery followed by code execution.

Technical view

For Windows environments, detection engineering should focus on the behavioral chain described by ATT&CK: rapid system information discovery using WMI, registry enumeration, network share discovery, hostname or domain checks; collection of target-validation artifacts such as AD domain membership, network topology, and installed software versions; cryptographic activity that may indicate payload decryption using collected environmental values; and code execution shortly after successful validation. Because no official detection logic is provided, teams should build or validate correlation logic rather than relying on a single event type.

Likely telemetry

  • Windows process creation and command-line telemetry
  • WMI query and WMI activity logs
  • Registry access or registry enumeration telemetry
  • Network share discovery and SMB-related activity
  • Hostname, domain, and Active Directory membership lookups

Detection direction

  • Validate whether telemetry can connect multiple discovery behaviors from the same process, user, host, or process tree within a short time window.
  • Tune for temporal clustering: rapid WMI, registry, network share, hostname, domain, and software checks may be more meaningful together than individually.
  • Correlate environmental discovery with later cryptographic activity and subsequent execution, while treating each stage as supporting evidence rather than proof by itself.
  • Account for legitimate administration, inventory, software deployment, vulnerability scanning, and endpoint management tools as likely false-positive sources.
  • Review sandbox and malware-analysis workflows: environment-keyed samples may not execute fully unless analysis environments resemble enterprise hosts.

Mitigation priorities

  • Ensure Windows endpoint telemetry is collected centrally with sufficient process, command-line, WMI, registry, and execution detail.
  • Baseline legitimate administrative and inventory tools so clustered discovery behavior can be distinguished from expected operations.
  • Harden and monitor script execution, administrative tooling, and unnecessary discovery paths where business use is limited.
  • Maintain IR playbooks that treat discovery followed by decryption-like behavior and execution as a higher-priority investigation pattern.
  • Use controlled lab and detonation environments that can support analysis of environment-dependent behavior, while recognizing that not all payload logic will reveal itself.
Analyst notes and limits

This object is a detection analytic, not a technique description or intrusion report. The strongest decision value is in using it as a coverage test for behavioral correlation on Windows endpoints. There are no supplied relationships, tactics, aliases, or official detection query, so local implementation must be driven by available endpoint and Windows logging sources.

The supplied ATT&CK fields do not provide detection logic, severity, adversary attribution, active exploitation evidence, or relationship context. The object only supports Windows as a platform. Any assessment of exposure, alert quality, or control effectiveness requires local telemetry, baselines, and incident data.

Official MITRE ATT&CK definition

Analytic 1305

Windows-specific environmental keying behavioral chain: (1) Rapid system information discovery through multiple techniques (WMI queries, registry enumeration, network share discovery, hostname/domain checks), (2) Target validation through specific environmental artifact collection (AD domain membership, network topology, installed software versions), (3) Cryptographic operation correlation indicating payload decryption based on collected environmental values, (4) Subsequent malicious code execution following successful environmental validation, (5) Temporal clustering of discovery activities suggesting automated environmental assessment

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
6bd293b7e2b8b832...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 6bd293b7e2b8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1305
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use