AN1881: Analytic 1881

Monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (e.g., .pdf, .docx, .jpg, .dwg ) or local databases. Monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data. Monitor for any suspicious attempts to enable scripts running on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. Monitor for API calls that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data. Monitor executed commands and arguments that may search and collect local system sources, such as file systems or local databases, to find files of interest and sensitive data. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

ICSAN1881AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

AN1881 is a detection analytic for spotting suspicious local data discovery and collection behavior: abnormal access to user files, local databases, file systems, scripts, commands, API calls, or system management tooling used to locate sensitive data. For leaders, the value is not just finding file access—it is validating whether the organization can recognize when an endpoint or ICS-adjacent system is being searched for drawings, documents, images, databases, or other operationally sensitive information before that activity becomes a larger incident.

Executive priority

Prioritize this analytic where local files or databases contain operational, engineering, regulated, or business-critical data. The key business question is whether SOC and IR teams can distinguish routine administrative or maintenance activity from abnormal data search and collection. This supports incident decision-making, compliance evidence around monitoring, and cyber-physical risk reduction when sensitive engineering or operational files are stored locally.

Technical view

Validate visibility into unexpected file access, newly executed processes, script enablement, command-line arguments, API activity, and use of Windows system management tools referenced by MITRE, including Windows Management Instrumentation and PowerShell. Because no platform, tactic, or relationship context is supplied, teams should map this analytic to local asset types and normal administrative workflows before tuning. Focus on baselining file/database access patterns and identifying out-of-cycle scripts or commands that search broad file paths or sensitive file types.

Likely telemetry

File access events for user files and local databases
Process creation and newly executed process telemetry
Command-line arguments and shell execution logs
Script execution and script enablement evidence
API activity related to local file system or database searching

Detection direction

Confirm whether monitoring covers abnormal access to sensitive local file types such as documents, PDFs, images, drawings, and database files.
Baseline normal administrative, patching, backup, engineering, and maintenance workflows to reduce false positives.
Alert on scripts running on systems where scripting is uncommon, especially outside patching or approved administrator activity.
Review newly executed processes and command arguments that enumerate file systems or local databases for data of interest.
Where possible, capture script content from the file system so responders can assess intent rather than relying only on execution metadata.

Mitigation priorities

Inventory where sensitive local files and databases reside, especially operational or engineering data.
Limit and monitor administrative scripting and system management tooling to approved users and expected maintenance windows.
Ensure endpoint and logging controls collect process, command, script, file access, and relevant management-tool telemetry before relying on this analytic.
Use least privilege and data access controls to reduce the number of accounts and processes that can read sensitive local data.
Prepare IR procedures for preserving suspicious scripts, process details, and accessed-file evidence.

Analyst notes and limits

This object is an ICS ATT&CK detection analytic, but the supplied fields do not specify platforms, tactics, or related techniques beyond references in the description to WMI and PowerShell. Treat it as a detection validation prompt: can the environment prove who or what searched local sources for sensitive data, when, and whether that behavior was expected?

No official detection logic, platforms, tactics, aliases, labels, or relationship context were supplied. Local baselines, asset criticality, file sensitivity, and available telemetry are required before determining coverage or alert fidelity.

Official MITRE ATT&CK definition

Analytic 1881

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: d21c72b352abd657...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`d21c72b352ab…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1881
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use