AN0009: Analytic 0009

Abnormal modification of the PATH environment variable or registry keys controlling system paths, combined with execution of binaries named after legitimate system tools from user-writable directories. Defender correlates registry modifications, file creation of suspicious binaries, and process execution paths inconsistent with baseline system directories.

EnterpriseAN0009AnalyticObject v1.0 Modified Nov 12, 2025, 17:36 UTC (UTC+00:00)

AN0009 highlights a Windows detection pattern where system path settings are changed and a lookalike binary, named like a legitimate system tool, runs from a user-writable location. For leaders, the value is assurance that Windows endpoints are not silently redirected to execute untrusted tools instead of expected system binaries.

Executive priority

Prioritize this as a control-validation and incident-readiness question: can the organization prove it monitors changes to PATH-related settings, creation of suspicious tool-named binaries in user-writable directories, and execution paths that deviate from trusted system locations? This supports resilience, audit evidence, and faster triage when endpoint trust is in question.

Technical view

For SOC and detection teams, validate correlation across three Windows evidence points described by MITRE: modification of PATH environment variables or registry keys controlling system paths, file creation of binaries with names resembling legitimate system tools in user-writable directories, and process execution from paths inconsistent with baseline system directories. Because no ATT&CK tactic or relationship context is supplied, tune this as a behavioral analytic rather than as a campaign- or technique-specific rule.

Likely telemetry

Windows registry modification events for keys controlling system paths
Environment variable change telemetry, especially PATH-related changes
File creation events in user-writable directories
Process creation telemetry including executable path and process name
Baseline inventory of expected system tool locations and trusted system directories

Detection direction

Confirm telemetry can join registry or environment changes, file creation, and subsequent process execution on the same host and relevant time window.
Tune for binaries named after legitimate system tools executing from user-writable locations rather than expected Windows system directories.
Account for administrative software, developer tooling, scripts, and installers that may legitimately modify PATH or run tools outside default directories.
Validate whether the detection depends on a maintained baseline of normal system directories; stale baselines can create false positives or missed deviations.
Escalate events where PATH modification and suspicious execution occur together, rather than treating isolated PATH changes as equally severe.

Mitigation priorities

Restrict who can modify system-level PATH settings and registry keys controlling system paths.
Reduce unnecessary write access to directories that may be used for executable placement.
Maintain endpoint baselines for expected locations of common Windows system tools.
Use change control and administrative review for authorized PATH modifications.
Ensure incident response playbooks include checks for altered path settings and unexpected tool execution locations.

Analyst notes and limits

This is a detection analytic object for Windows in ATT&CK enterprise release 19.1. The official description provides the correlation logic, but no separate official detection text, tactics, labels, aliases, or relationship context were supplied.

Assessment is limited to the supplied MITRE fields and external reference. It does not establish active exploitation, attribution, impact, or current customer exposure. Local telemetry quality, endpoint configuration, and baseline accuracy will determine practical detection value.

Official MITRE ATT&CK definition

Analytic 0009

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 17:36 UTC (UTC+00:00)
Raw hash: 7631347353a292c1...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 17:36 UTC (UTC+00:00)	Current bundle	`7631347353a2…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0009
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use