Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1925: Analytic 1925

Monitor for any suspicious attempts to enable script execution on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Monitor executed commands and associated arguments for application programs which support executing custom code, scripts, commands, or executables. Monitor for unusual processes execution, especially for processes that allow the proxy execution of malicious files.

ICSAN1925AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This ICS ATT&CK detection analytic matters because enabling or running scripts on systems where scripting is uncommon can be an early sign that normal administrative capability is being used in an abnormal way. For leaders, the decision point is whether the organization can distinguish approved patching or administrator activity from suspicious script enablement, command execution, and proxy execution through legitimate applications.

Executive priority

Prioritize this as an operational resilience and incident readiness question: can the SOC prove when script execution was enabled, what commands ran, and whether the activity aligned to approved maintenance? In ICS environments, gaps in this evidence can slow containment decisions and weaken audit or compliance evidence around administrative control of sensitive systems.

Technical view

Validate whether monitoring captures attempts to enable script execution, executed commands with arguments, unusual process execution, and application programs that can execute custom code, scripts, commands, or executables. Because no platforms or tactics are specified for this analytic, teams should map it to local ICS asset types and administrative workflows before writing high-confidence detections. File-system collection of scripts, when possible, is important for determining intent and differentiating routine administration from suspicious activity.

Likely telemetry

  • Events showing script execution being enabled or configured
  • Executed command records and associated command-line arguments
  • Process creation and parent-child process relationships
  • Application logs from programs capable of executing custom code, scripts, commands, or executables
  • File-system evidence for scripts, including script content where collection is permitted

Detection direction

  • Baseline where scripts are normally used versus systems where script execution is rare or should not occur.
  • Alert on script execution enablement outside approved patching or administrator windows.
  • Correlate command arguments, process execution, and parent process context to identify unusual or proxy execution behavior.
  • Tune against known administrator functions to reduce false positives while preserving visibility into out-of-cycle activity.
  • Confirm whether script contents can be captured for review; lack of file-system visibility is a major investigation blind spot.

Mitigation priorities

  • Define and document where script execution is approved, restricted, or unexpected across ICS systems.
  • Use change management and maintenance windows to make authorized script activity easy to validate.
  • Limit who can enable or run scripts and review administrative access paths that allow command or script execution.
  • Preserve command, process, application, and file-system evidence needed for incident response.
  • Periodically test whether SOC and IR teams can reconstruct script enablement and execution from available logs.
Analyst notes and limits

The official object is a detection analytic in the ICS ATT&CK domain. It focuses on monitoring suspicious script enablement, command execution with arguments, applications that support custom code execution, and unusual process execution that may proxy malicious files. There are no supplied ATT&CK relationships, platforms, tactics, aliases, or separate detection text beyond the description.

This take is limited to the supplied ATT&CK fields. No active exploitation, attribution, affected platform, specific technique relationship, or guaranteed detection coverage is implied. Local asset inventory, administration patterns, logging configuration, and ICS operational constraints are required to determine priority and detection fidelity.

Official MITRE ATT&CK definition

Analytic 1925

Monitor for any suspicious attempts to enable script execution on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Monitor executed commands and associated arguments for application programs which support executing custom code, scripts, commands, or executables. Monitor for unusual processes execution, especially for processes that allow the proxy execution of malicious files.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
0963b18bfcc39aff...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 0963b18bfcc3…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1925
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use