AN1407: Analytic 1407
Detects suspicious SVG file creation or download events followed by script engine execution (e.g., wscript.exe, mshta.exe, rundll32.exe), network callbacks, or browser-based credential collection.
Analyst context for executives and security teams
This analytic is relevant because SVG files can become a delivery or trigger point for follow-on script execution, outbound network activity, or browser-based credential collection on Windows systems. For leaders, the value is not the SVG file alone; it is whether the organization can correlate a newly created or downloaded file with suspicious process execution and network behavior quickly enough to support containment decisions.
Executive priority
Prioritize this as a validation item for endpoint, web/download, process, and network telemetry correlation on Windows. It supports business resilience by testing whether the SOC can connect an initial file event to possible credential exposure or command execution activity. Leaders should ask whether current logging and managed detection workflows can show the sequence of events, not just isolated alerts.
Technical view
Validate whether Windows telemetry can identify suspicious SVG file creation or download events and correlate them with subsequent execution by script-capable processes such as wscript.exe, mshta.exe, or rundll32.exe, as well as network callbacks or browser-based credential collection indicators. Because the ATT&CK object does not provide a detection implementation, teams should treat this as an analytic design requirement: sequence file event, process execution, browser activity, and network evidence within a practical time window and review false positives from legitimate SVG downloads, design tools, web content, and normal browser behavior.
Likely telemetry
- Windows file creation and download evidence for .svg files
- Process creation telemetry for wscript.exe, mshta.exe, rundll32.exe, and related parent-child process context
- Browser download and browsing activity where available
- Network connection or proxy/DNS evidence showing callbacks after SVG creation or download
- Endpoint security alerts or EDR event chains linking file, process, browser, and network activity
Detection direction
- Build or validate correlation logic that starts with SVG creation/download and looks for nearby script engine execution, network callbacks, or browser credential-collection behavior.
- Tune for context: SVG files are common in normal web and design workflows, so the useful signal is the suspicious sequence and process/network context rather than file extension alone.
- Review parent-child process lineage, user context, file path, download source, and timing to reduce false positives.
- Confirm whether telemetry gaps exist for browser downloads, process creation, command-line capture, and outbound network visibility.
- Because no ATT&CK relationships or tactic mappings are supplied, avoid over-scoping this analytic to a specific campaign or technique without local evidence.
Mitigation priorities
- Ensure Windows endpoint logging and EDR collection cover file creation/download, process execution, and network connection events needed for correlation.
- Restrict or monitor unnecessary use of script execution utilities where business operations permit.
- Apply least-privilege and credential protection practices to reduce the impact of browser-based credential collection attempts.
- Use web, email, and download controls to inspect or govern risky file delivery paths where SVG files enter the environment.
- Document detection logic, telemetry sources, and investigation steps as compliance and incident response evidence.
Analyst notes and limits
This object is a detection analytic, not a full technique description. The supplied description centers on suspicious SVG file creation or download followed by script engine execution, network callbacks, or browser-based credential collection on Windows. No official detection logic, relationships, tactics, groups, software, or mitigations were supplied, so local implementation must be based on available telemetry and environment-specific baselines.
The source fields do not provide a query, data source list, tactic mapping, related ATT&CK techniques, attribution, or evidence of active exploitation. Coverage cannot be assumed without validating Windows endpoint, browser/download, and network telemetry in the local environment.
Analytic 1407
Detects suspicious SVG file creation or download events followed by script engine execution (e.g., wscript.exe, mshta.exe, rundll32.exe), network callbacks, or browser-based credential collection.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d33cc7a190d9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1407Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.