cti/ics-attack/x-mitre-analytic/x-mitre-analytic--23ce0ac3-6afe-4647-be72-e1e9bcd1490e.json

{
    "type": "bundle",
    "id": "bundle--7f67bfd5-7d9b-475d-9d61-f133ac3b54ec",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "x-mitre-analytic",
            "id": "x-mitre-analytic--23ce0ac3-6afe-4647-be72-e1e9bcd1490e",
            "created": "2025-10-21T15:10:28.402Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/detectionstrategies/DET0793#AN1925",
                    "external_id": "AN1925"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "modified": "2025-10-21T15:10:28.402Z",
            "name": "Analytic 1925",
            "description": "Monitor for any suspicious attempts to enable script execution on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\nMonitor executed commands and associated arguments for application programs which support executing custom code, scripts, commands, or executables. \nMonitor for unusual processes execution, especially for processes that allow the proxy execution of malicious files.",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_version": "1.0",
            "x_mitre_attack_spec_version": "3.3.0",
            "x_mitre_domains": [
                "ics-attack"
            ],
            "x_mitre_platforms": [
                "None"
            ],
            "x_mitre_log_source_references": [
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd",
                    "name": "Script",
                    "channel": "None"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
                    "name": "Command",
                    "channel": "None"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
                    "name": "Process",
                    "channel": "None"
                }
            ],
            "x_mitre_deprecated": false
        }
    ]
}