Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1940: Analytic 1940

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the potential use of exploits for vulnerabilities (i.e. Exploit Public-Facing Application, Exploitation for Client Execution, Exploitation for Privilege Escalation, Exploitation for Stealth, Exploitation for Credential Access, Exploitation of Remote Services, and Application or System Exploitation).

EnterpriseAN1940AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is a reminder that some adversary preparation or vulnerability-related activity may happen before the target organization has direct visibility. For leaders, the practical issue is not a single alert rule; it is whether the organization can connect external vulnerability intelligence, exposure management, and later exploit-use signals into an incident-ready decision process.

Executive priority

Treat this as a governance and readiness gap check. Because the ATT&CK object notes that much of the activity occurs outside the target’s visibility, executive priority should be on confirming that vulnerability prioritization, external exposure awareness, SOC monitoring, and incident response playbooks are coordinated before exploitation is suspected. This supports business continuity, audit evidence for risk-based remediation, and faster decisions when public-facing applications, clients, remote services, privilege escalation paths, credential access paths, stealth mechanisms, or application/system exploitation become relevant.

Technical view

SOC and detection engineering teams should not expect this analytic to provide a direct detection pattern. The supplied MITRE description points defenders toward monitoring behaviors associated with potential exploit use, including exploit activity against public-facing applications, client execution, privilege escalation, stealth, credential access, remote services, and application or system exploitation. Validate that detection content and investigation workflows can pivot from vulnerability/exposure context to host, application, identity, and network evidence when exploitation is suspected.

Likely telemetry

  • External exposure and asset inventory data for public-facing systems and remote services
  • Vulnerability scan results and remediation status tied to affected assets
  • Web, application, and API logs for public-facing applications
  • Endpoint and server telemetry for client execution, privilege escalation, stealth, and credential access indicators
  • Authentication and identity logs that may show post-exploitation credential use

Detection direction

  • Validate whether the SOC has coverage for the exploitation-related ATT&CK techniques referenced by the analytic rather than relying on a single PRE-stage signal.
  • Tune detections with asset criticality, internet exposure, and vulnerability context to reduce noise and improve prioritization.
  • Identify blind spots where adversary preparation occurs outside organizational visibility and compensate with threat intelligence, exposure management, and rapid triage processes.
  • Confirm analysts can correlate exploit-use indicators across application logs, endpoint telemetry, identity events, and vulnerability records.
  • Document false-positive handling for benign vulnerability scanning, administrative testing, application errors, and normal remote service usage.

Mitigation priorities

  • Maintain accurate inventory of public-facing applications, remote services, and systems where exploit use would create material risk.
  • Prioritize vulnerability remediation using exposure, business criticality, and exploitability context.
  • Ensure monitoring is in place for exploitation-related behaviors across applications, endpoints, identity systems, and network access paths.
  • Prepare incident response playbooks for suspected exploitation, including evidence preservation and escalation criteria.
  • Use compliance and risk reporting to show how vulnerability management, detection coverage, and response readiness are connected.
Analyst notes and limits

The object is a MITRE detection analytic, AN1940, for the enterprise ATT&CK domain and platform PRE. Its description emphasizes limited target visibility and recommends focusing detection on behaviors related to potential exploit use. No relationships, tactics, aliases, labels, or separate official detection text were supplied.

This take is constrained to the supplied ATT&CK fields. It does not establish active exploitation, attribution, affected vendors, specific indicators, or confirmed detection coverage. Local asset inventory, vulnerability data, logs, and response procedures are required to determine actual risk and monitoring maturity.

Official MITRE ATT&CK definition

Analytic 1940

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the potential use of exploits for vulnerabilities (i.e. Exploit Public-Facing Application, Exploitation for Client Execution, Exploitation for Privilege Escalation, Exploitation for Stealth, Exploitation for Credential Access, Exploitation of Remote Services, and Application or System Exploitation).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
abaa77abc40c8a72...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle abaa77abc40c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1940
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use