Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN2063: Analytic 2063

Detection identifies execution of scripts or files that appear visually benign (low printable character ratio) but result in runtime decoding, dynamic evaluation, and subsequent process or network activity. Correlation links script execution with abnormal Unicode density and follow-on behavior such as child process creation or outbound connections.

EnterpriseAN2063AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about catching Windows script or file execution that is deliberately hard for humans and simple text scanning to read, but that becomes meaningful at runtime through decoding or dynamic evaluation. The business value is that this behavior can hide inside content that looks visually harmless until it launches child processes or reaches out to the network, so leaders should treat it as a test of whether the SOC can correlate script content characteristics with what the endpoint actually does next.

Executive priority

Prioritize this as a resilience and evidence question: can the organization prove it monitors suspicious Windows script execution beyond simple signature or filename checks? The decision value is strongest for managed detection, incident response readiness, and audit discussions around script abuse controls, because coverage depends on collecting both script execution evidence and follow-on process or network behavior. Since no tactic, relationship context, or official detection logic is supplied, this should be framed as a validation candidate rather than a guaranteed control gap.

Technical view

For SOC and detection engineering teams, validate whether Windows telemetry can correlate three elements: script or file execution, abnormal character composition such as low printable character ratio or high Unicode density, and subsequent behavior such as child process creation or outbound connections. Tuning should focus on correlation rather than any single indicator, because unusual character density alone may occur in legitimate encoded, localized, or packed content. Incident responders should ensure investigations can reconstruct the parent script/file, runtime decoding or dynamic evaluation indicators where observable, child process lineage, and network destinations after execution.

Likely telemetry

  • Windows process creation events, including parent-child process relationships
  • Script execution logs or command-line/script block style telemetry where available
  • File metadata and content-derived features such as printable character ratio or Unicode density
  • Endpoint activity showing dynamic evaluation or runtime decoding where observable
  • Network connection telemetry tied to the originating process

Detection direction

  • Validate that detections do not rely only on static filename, extension, or known signatures; the supplied analytic depends on behavioral correlation.
  • Test correlation windows between suspicious script/file execution and follow-on child process creation or outbound network activity.
  • Tune for false positives from legitimate scripts, installers, encoded configuration content, localization/internationalization artifacts, or administrative automation with unusual character distributions.
  • Confirm whether telemetry preserves enough script content or derived character features to identify low printable character ratio or abnormal Unicode density without over-collecting sensitive data.
  • Because no official detection implementation is provided, document local assumptions, event sources, thresholds, and exclusions as part of detection engineering evidence.

Mitigation priorities

  • Reduce unnecessary script execution paths on Windows through policy, least privilege, and approved administrative tooling where operationally feasible.
  • Harden monitoring first around high-risk Windows script execution locations and user contexts, then expand based on telemetry quality and false-positive review.
  • Ensure endpoint controls and logging capture parent-child process lineage and process-associated network activity, since those are central to this analytic.
  • Use incident response playbooks that triage suspicious script execution by content characteristics, runtime behavior, child process tree, and outbound connections.
  • Maintain compliance-ready evidence showing what Windows script execution telemetry is collected, how long it is retained, and how detections are tested.
Analyst notes and limits

This object is a detection analytic, not a technique description. Its strongest practical message is the need to join content-level suspiciousness with runtime behavior. The supplied object supports Windows only and does not specify ATT&CK tactics, related techniques, adversary use, or a formal detection query.

Official detection text is not provided, and no relationships are supplied. Any scoring, thresholds, specific event IDs, products, or assumptions about exploitation would require local environment data or additional sources not included in the supplied STIX fields.

Official MITRE ATT&CK definition

Analytic 2063

Detection identifies execution of scripts or files that appear visually benign (low printable character ratio) but result in runtime decoding, dynamic evaluation, and subsequent process or network activity. Correlation links script execution with abnormal Unicode density and follow-on behavior such as child process creation or outbound connections.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
5ee789d2d3ef13c8...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 5ee789d2d3ef…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN2063
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use