Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1528: Analytic 1528

Detects the creation or execution of padded binary files (e.g., large size but minimal legitimate content) followed by process execution or lateral movement from the host.

EnterpriseAN1528AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about finding suspicious Windows binaries that appear artificially padded: very large files with little legitimate content, followed by execution or possible lateral movement from the host. For leaders, the value is not the file-size anomaly alone; it is whether the organization can connect file creation, process execution, and host-to-host activity quickly enough to decide if a Windows endpoint is becoming a launch point for broader compromise.

Executive priority

Prioritize this as a validation of endpoint and SOC correlation maturity. The business question is whether teams can prove they collect and join the evidence needed to investigate unusual binary staging and subsequent execution or movement from a Windows system. This supports incident response readiness, audit evidence for monitoring controls, and resilience planning where lateral movement from one host could affect critical operations.

Technical view

Because ATT&CK provides no official detection logic and no tactic mapping for this analytic, teams should treat AN1528 as a detection engineering requirement rather than a finished rule. Validate Windows telemetry for file creation metadata, file size, executable content characteristics where available, process start events, parent-child process context, command line, user/account context, host identity, and subsequent network or remote execution activity. Detection should focus on correlation: padded or unusually large executable-like files followed by execution, and then outbound host-to-host activity or lateral movement indicators from the same endpoint.

Likely telemetry

  • Windows file creation and modification events, including file path, size, extension, timestamps, and hash where available
  • Endpoint process execution telemetry, including image path, command line, parent process, user, and host
  • Endpoint security or EDR file reputation/content inspection metadata where available
  • Windows authentication and logon activity associated with the executing user or host
  • Network connection telemetry from the originating Windows host after execution

Detection direction

  • Confirm that file-size anomalies can be queried and correlated with later execution on Windows endpoints; many environments collect process events but not durable file creation metadata.
  • Tune for combinations rather than file size alone, because large legitimate installers, archives, updates, and software deployment packages can create false positives.
  • Correlate the suspicious file with process ancestry, signer or reputation metadata if available, user context, and timing of outbound or host-to-host activity.
  • Validate whether the SOC can pivot from the initial host to lateral movement evidence; the ATT&CK object explicitly mentions process execution or lateral movement from the host, but supplies no specific relationship context.
  • Document blind spots where endpoint logs are short-lived, file metadata is not retained, command lines are disabled, or network telemetry cannot be tied back to a host and process.

Mitigation priorities

  • Ensure Windows endpoint monitoring captures file creation metadata and process execution with enough retention for incident response.
  • Prioritize control validation around execution of untrusted or unusual binaries, using existing application control, endpoint protection, and least-privilege practices where applicable.
  • Strengthen lateral movement visibility by validating authentication, remote administration, and host-to-host network monitoring coverage.
  • Use detection testing to confirm analysts can triage benign large binaries versus suspicious padded executables without relying on file size alone.
  • Maintain response playbooks for isolating a Windows host, preserving file and process evidence, and scoping any subsequent movement.
Analyst notes and limits

AN1528 is a detection analytic object for Windows in ATT&CK enterprise release 19.1. The supplied object describes the intended behavior but does not include official detection logic, tactics, aliases, labels, or relationship context. The practical value is therefore in using it to test whether telemetry sources can be correlated across file staging, execution, and post-execution movement from the same host.

This take is limited to the supplied ATT&CK fields and external reference. It does not assert active exploitation, adversary attribution, specific malware behavior, or guaranteed detection coverage. Local baselines are required to distinguish suspicious padded binaries from legitimate large Windows software packages, installers, and administrative tools.

Official MITRE ATT&CK definition

Analytic 1528

Detects the creation or execution of padded binary files (e.g., large size but minimal legitimate content) followed by process execution or lateral movement from the host.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
dfed0258737f9236...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle dfed0258737f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1528
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use