Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1984: Analytic 1984

Monitor for contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information. In some cases, malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in Cobalt Strike payloads.[1] Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.

EnterpriseAN1984AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Analytic 1984 is about using contextual indicators from malicious payloads—such as compile times, file hashes, watermarks, or embedded configuration details—to support threat intelligence and post-compromise analysis. Its business value is not that it provides a direct enterprise detection by itself, but that it can help defenders recognize repeated tool use, enrich incident scope, and connect related activity when payload samples are available.

Executive priority

Treat this as an intelligence and incident-response capability rather than a primary prevention control. Leaders should ask whether their SOC, IR, and threat intelligence processes can collect malware samples, preserve hashes and metadata, compare payload features over time, and turn those findings into response decisions. Because the ATT&CK object notes much of this activity occurs outside the target organization’s visibility, coverage depends on partnerships, malware repositories, endpoint/server evidence, and post-compromise collection rather than routine alerting alone.

Technical view

For SOC, detection engineering, and IR teams, validate whether payload-level context is captured and usable during investigations: file hashes, compile timestamps, embedded configuration, watermarks, and other stable identifiers. The ATT&CK platform is PRE, and no tactics or direct detection logic are supplied, so this analytic should be handled as enrichment and correlation supporting adversary lifecycle analysis, especially after suspicious files or malware artifacts are recovered. The cited example references Cobalt Strike payload watermarks, but the supplied object does not provide specific detection rules or a broader attribution claim.

Likely telemetry

  • Malware sample metadata collected during incident response
  • File hashes from recovered payloads
  • Compilation timestamp or PE/static file metadata where available
  • Embedded configuration or watermark data extracted from payload analysis
  • Threat intelligence or malware repository lookups

Detection direction

  • Validate that malware artifacts from endpoints, servers, email gateways, or incident response collections are preserved for analysis rather than deleted without metadata capture.
  • Use payload context as correlation and enrichment, not as a standalone high-confidence detection, because the official object states much of the activity may occur outside the target organization’s visibility.
  • Tune analysis workflows to distinguish meaningful payload features from weak or easily changed attributes; file hashes alone can be brittle, while repeated configuration or watermark patterns may provide better investigative context.
  • Document where sample acquisition is unavailable, such as encrypted traffic, missing endpoint retention, limited forensic collection, or reliance on third-party repositories.
  • Because no official detection logic or relationships are supplied, require local validation before converting this analytic into alerts or executive metrics.

Mitigation priorities

  • Prioritize incident-response readiness: ensure procedures exist to collect, preserve, and analyze suspicious payloads and related metadata.
  • Maintain integrations or workflows for malware repository and threat intelligence enrichment where legally and operationally appropriate.
  • Ensure endpoint, server, and email/security tooling retains enough artifact context to support post-compromise investigation.
  • Create escalation criteria for when repeated payload features should influence scoping, containment, or threat intelligence reporting.
  • Use findings as supporting evidence for control validation and incident reporting, not as proof of attribution unless corroborated by additional sources.
Analyst notes and limits

This object is a detection analytic, not a technique. It has platform PRE, no supplied tactics, no relationships, and no official detection text beyond the description. The most defensible use is to frame payload-context analysis as an enrichment capability for SOC, IR, and threat intelligence teams.

The supplied ATT&CK fields do not include executable detection logic, affected enterprise platforms beyond PRE, relationship context, mitigations, or evidence of active exploitation. Local telemetry, sample availability, legal constraints, and analyst capability will determine practical value.

Official MITRE ATT&CK definition

Analytic 1984

Monitor for contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information. In some cases, malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in Cobalt Strike payloads.[1] Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
56abf62ee910d0e0...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 56abf62ee910…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Analyzing CS Dec 2020

    Maynier, E. (2020, December 20). Analyzing Cobalt Strike for Fun and Profit. Retrieved October 12, 2021.

    Open source URL
  2. [2]
    mitre-attack AN1984
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use