AN2035: Analytic 2035

Detects user execution of newly received content or instructions shortly after external communication, including script launches, Office child process spawning, browser-to-script execution chains, or credential prompts followed by new logon sessions.

EnterpriseAN2035AnalyticObject v1.0 Modified May 12, 2026, 16:30 UTC (UTC+00:00)

Analytic 2035 is a Windows-focused detection analytic for a high-risk business pattern: a user receives external communication and then quickly executes content, launches scripts, spawns Office child processes, follows browser-to-script chains, or enters credentials that lead to a new logon session. For leaders, the value is not just spotting a file launch; it is validating whether the organization can connect communication, endpoint execution, browser, Office, and identity events into one incident narrative before a social-engineering-driven compromise spreads.

Executive priority

Prioritize this as a control-validation question for phishing resilience, SOC readiness, and incident response speed. Executives should ask whether the security program can prove visibility from initial external contact through execution and identity use on Windows endpoints. This analytic can support audit and risk discussions around user-driven compromise paths, but the supplied ATT&CK object does not provide a specific tactic, relationship mapping, or official detection logic, so local telemetry and tuning determine actual coverage.

Technical view

SOC and detection teams should validate correlation across Windows endpoint activity, external communication timing, process creation, Office child processes, browser-launched script or interpreter activity, credential prompt events where available, and subsequent logon sessions. Because ATT&CK provides no official detection pseudocode or related techniques for this analytic, implementation should start as behavior-chain detection rather than a single indicator. Key validation is whether events can be joined by user, host, process ancestry, time window, and session identity after externally received content or instructions.

Likely telemetry

Windows process creation events with command line and parent-child process context
Office application process ancestry and child process launches
Browser process activity and browser-to-script or browser-to-interpreter execution chains
Script execution telemetry from Windows hosts
Email, messaging, or other external communication metadata where available

Detection direction

Validate that external communication telemetry can be correlated with endpoint execution on the same user and host within a short time window.
Tune for suspicious chains such as Office spawning child processes, browser-to-script execution, or new logon sessions following credential prompts rather than alerting on all user-launched content.
Review false positives from legitimate document workflows, software downloads, helpdesk instructions, collaboration tools, and administrative scripts.
Confirm process command line, parent process, user, host, and timestamp quality; weak process ancestry will materially reduce analytic value.
Because no official detection logic is supplied, document local assumptions for time windows, external-communication sources, and what qualifies as newly received content.

Mitigation priorities

Ensure logging and retention cover the full chain from external communication to Windows endpoint execution and authentication events.
Harden user-executed content paths with least privilege, script controls, Office child-process restrictions where appropriate, and safe handling of externally received files or links.
Strengthen identity controls and monitoring for new logon sessions following suspicious user interaction.
Use phishing simulation, incident response exercises, and detection validation to confirm analysts can investigate the chain quickly.
Maintain exception handling for approved business workflows so detection tuning does not overwhelm the SOC.

Analyst notes and limits

This object is a detection analytic, not a technique or procedure. Its strongest decision value is as a coverage test for cross-domain correlation: communication, endpoint process behavior, browser/Office execution, script activity, and identity session changes. It is especially relevant to managed detection and IR teams because the analytic depends on stitching together events that are often owned by different tools or teams.

The supplied ATT&CK fields provide a description, Windows platform, and external reference only. No official detection logic, tactics, relationships, data sources, mitigations, or procedure examples were supplied. Any severity, time window, query design, or coverage assessment must be based on the local environment and telemetry quality.

Official MITRE ATT&CK definition

Analytic 2035

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Apr 16, 2026, 16:31 UTC (UTC+00:00)
Modified: May 12, 2026, 16:30 UTC (UTC+00:00)
Raw hash: 5be209a06b16aff6...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	May 12, 2026, 16:30 UTC (UTC+00:00)	Current bundle	`5be209a06b16…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN2035
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use