AN1858: Analytic 1858
Monitor for newly constructed services/daemons that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Monitor for changes made to files outside of an update or patch that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Monitor for file names that are mismatched between the file name on disk and that of the binary's metadata. This is a likely indicator that a binary was renamed after it was compiled. For added context on adversary procedures and background see Masquerading and applicable sub-techniques. Monitor executed commands and arguments that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.[1] Monitor for changes made to scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Monitor for changes made to services that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Collect file hashes. Monitor for file names that do not match their expected hash. Perform file monitoring. Files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters"\u202E", "[U+202E]", and "%E2%80%AE". For added context on adversary procedures and background see Masquerading and applicable sub-techniques. Monitor for newly constructed scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.
Analyst context for executives and security teams
AN1858 is a detection analytic for spotting masquerading behavior: files, services/daemons, scheduled jobs, and command activity that are made to look legitimate or benign. For security leaders, the practical value is not the specific object name but the control question it raises: can the organization prove when trusted-looking artifacts were newly created, renamed, moved to unusual locations, or changed outside normal update and patch processes? In ICS environments, that evidence can be important for distinguishing routine maintenance from activity that may hide persistence or operator deception.
Executive priority
Prioritize this analytic as a validation point for endpoint and operational resilience monitoring, especially where service changes, scheduled task changes, and file integrity are part of incident response or compliance evidence. Leaders should ask whether teams can baseline legitimate software, patch, and maintenance activity well enough to identify suspicious lookalike artifacts without overwhelming the SOC. Because no specific platform or tactic is supplied, this should be treated as a cross-cutting detection-quality requirement rather than a platform-specific control.
Technical view
SOC and detection teams should validate collection and correlation for newly created services/daemons, changes to existing services, newly created or modified scheduled jobs, file changes outside approved update or patch windows, command execution with arguments, file hashes, file paths, and binary metadata. The analytic specifically calls out mismatches between on-disk filenames and binary metadata, known filenames appearing in unusual locations, hashes that do not match expected files, and deceptive filename characters such as trailing spaces or right-to-left override characters. Use the Masquerading reference context from ATT&CK T1036 and applicable sub-techniques only as background; no direct relationship context was supplied for this object.
Likely telemetry
- Service or daemon creation events
- Service configuration change events
- Scheduled job or task creation events
- Scheduled job or task modification events
- File creation, modification, and location monitoring
Detection direction
- Compare newly observed files against expected filename, path, metadata, and hash combinations for the environment.
- Alert or hunt for known legitimate-looking filenames located in unusual directories or changed outside normal update or patch activity.
- Look for filename and metadata mismatches that may indicate a binary was renamed after compilation.
- Inspect filenames containing deceptive characters, including trailing spaces and right-to-left override representations.
- Correlate service/daemon and scheduled job creation or modification with file changes and command execution to reduce single-signal noise.
Mitigation priorities
- Establish and maintain approved baselines for critical files, services/daemons, scheduled jobs, file hashes, and expected installation paths.
- Define and enforce change-control expectations for updates, patches, service changes, and scheduled job changes.
- Ensure SOC and IR teams have access to file integrity, command execution, and service or scheduled job telemetry needed to investigate masquerading indicators.
- Use allowlists or approved software inventories where appropriate to distinguish expected artifacts from suspicious lookalikes.
- Include filename deception and metadata mismatch checks in detection engineering and incident response playbooks.
Analyst notes and limits
The official object is an ICS ATT&CK detection analytic, external ID AN1858, associated with detection strategy DET0725. Its description provides monitoring guidance for masquerading-style artifacts, including services/daemons, scheduled jobs, command arguments, file hashes, unusual locations, and deceptive filename characters. No platforms, tactics, aliases, labels, relationships, or separate official detection field were supplied.
This take is limited to the supplied STIX fields, external references, and lack of relationship context. It does not assert specific affected platforms, adversary use, active exploitation, impact, or detection coverage. Local baselines, asset visibility, maintenance processes, and available telemetry determine whether this analytic is practical and reliable in a given environment.
Analytic 1858
Monitor for newly constructed services/daemons that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Monitor for changes made to files outside of an update or patch that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Monitor for file names that are mismatched between the file name on disk and that of the binary's metadata. This is a likely indicator that a binary was renamed after it was compiled. For added context on adversary procedures and background see Masquerading and applicable sub-techniques. Monitor executed commands and arguments that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.[1] Monitor for changes made to scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Monitor for changes made to services that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Collect file hashes. Monitor for file names that do not match their expected hash. Perform file monitoring. Files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters"\u202E", "[U+202E]", and "%E2%80%AE". For added context on adversary procedures and background see Masquerading and applicable sub-techniques. Monitor for newly constructed scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6437e7a0eb40… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Twitter ItsReallyNick Masquerading Update
Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved September 12, 2024.
Open source URL -
[2]
mitre-attack AN1858Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.