AN1935: Analytic 1935
Monitor for network traffic originating from unknown/unexpected systems. Monitor authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours, including use of Valid Accounts. When authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application.
Analyst context for executives and security teams
AN1935 is a detection analytic for spotting access to ICS-related services from systems that should not be there, or at times and patterns that do not match expected operations. Its business value is in validating whether the organization can distinguish legitimate remote access from suspicious use of valid accounts or unauthenticated exposed services before an incident affects operational resilience.
Executive priority
Treat this as a readiness check for remote access governance and monitoring. Leaders should ask whether teams know which systems are expected to connect, whether authentication activity is reviewed for abnormal timing or usage, and whether exposed APIs or applications are monitored when authentication is not required. This supports incident triage, audit evidence, and cyber-physical risk management without assuming any specific platform or adversary activity.
Technical view
SOC and IR teams should validate monitoring for network traffic from unknown or unexpected systems, authentication log review for unusual access patterns, activity outside normal business hours, and possible use of Valid Accounts. Where exposed remote services do not require authentication, teams should focus on follow-on behavior such as anomalous external use of the API or application. No ATT&CK tactics, platforms, or relationship context were supplied, so detection engineering should be mapped to local ICS architecture and known access paths.
Likely telemetry
- Network traffic records showing source systems and destinations
- Asset inventory or allowlists of expected systems and remote access sources
- Authentication logs for successful and failed access
- Time-of-day and access-pattern history for normal business operations
- API or application access logs for exposed remote services
Detection direction
- Baseline expected systems, users, access windows, and remote service usage before alerting on deviations.
- Tune alerts for traffic originating from unknown or unexpected systems, especially where the source is not in approved inventory or access lists.
- Review authentication activity for unusual timing, abnormal frequency, or access outside normal business hours.
- Correlate suspicious authentication with network and application activity to reduce false positives from maintenance, vendor support, or approved after-hours work.
- For services without authentication, monitor downstream behavior because login-based detections will not provide coverage.
Mitigation priorities
- Maintain an authoritative inventory of expected systems and approved remote access sources.
- Require and review authentication for exposed remote services where feasible.
- Define approved business hours, maintenance windows, and exception handling for ICS access.
- Limit unauthenticated exposure and ensure compensating monitoring for any service that cannot require authentication.
- Retain network, authentication, and application logs long enough to support incident response and compliance evidence.
Analyst notes and limits
The supplied object is an ICS ATT&CK detection analytic, not a technique description. Its strongest value is as a control-validation prompt: can defenders prove who or what accessed an exposed service, whether that access was expected, and what happened afterward? Local asset inventory and operational context are essential for meaningful tuning.
No official detection logic, platforms, tactics, aliases, labels, or relationship context were supplied. This take is therefore limited to the official description and external reference for AN1935 and should not be interpreted as evidence of active exploitation, adversary attribution, or guaranteed detection coverage.
Analytic 1935
Monitor for network traffic originating from unknown/unexpected systems. Monitor authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours, including use of Valid Accounts. When authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2ca79651c191… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1935Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.