Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0094: Analytic 0094

Defenders can observe suspicious replacement or tampering of system accessibility binaries (e.g., utilman.exe, sethc.exe, osk.exe) and anomalous modifications to registry keys used to redirect accessibility programs (such as IFEO keys). Additionally, execution of cmd.exe or other suspicious binaries triggered from the login screen by SYSTEM can be correlated as part of a behavior chain.

EnterpriseAN0094AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because tampering with Windows accessibility components can indicate an attempt to create or use a privileged logon-screen execution path. For leaders, the practical issue is whether endpoint, identity, and SOC teams can prove they would see suspicious changes to these Windows components before they become an incident-response surprise.

Executive priority

Prioritize this as a Windows endpoint and identity-adjacent resilience control: validate that critical system file changes, relevant registry modifications, and unusual SYSTEM-context execution from the logon screen are monitored and reviewable. The decision value is audit evidence and incident readiness—can the organization show that suspicious persistence or access-enabling changes on Windows hosts would generate actionable alerts and investigation data?

Technical view

SOC and detection teams should validate visibility for Windows system accessibility binaries named in the ATT&CK object, registry keys used to redirect accessibility programs such as IFEO keys, and process execution where cmd.exe or other suspicious binaries are triggered from the login screen by SYSTEM. Because no ATT&CK detection logic or relationships are supplied, local teams need to define baselines, test benign administrative edge cases, and correlate file, registry, and process evidence into a behavior chain rather than relying on one event type alone.

Likely telemetry

  • Windows file integrity or endpoint telemetry for changes to system accessibility binaries such as utilman.exe, sethc.exe, and osk.exe
  • Windows registry telemetry for modifications to accessibility redirection paths, including IFEO-related keys
  • Process creation telemetry showing cmd.exe or other suspicious binaries launched by SYSTEM
  • Logon-screen or pre-authentication context indicators where available from endpoint tooling
  • Endpoint alert and investigation records that preserve parent-child process and user/security context

Detection direction

  • Validate that collection covers Windows file replacement or tampering events for the named accessibility binaries.
  • Validate registry monitoring for IFEO and other accessibility-program redirection keys referenced by the analytic description.
  • Correlate suspicious file or registry modification with later SYSTEM-context execution from the login screen to reduce noisy single-signal alerts.
  • Tune for legitimate administrative or accessibility software activity to avoid excessive false positives while keeping high-risk SYSTEM-context command execution visible.
  • Document any blind spots where endpoint tools do not capture pre-logon context, file integrity changes, or registry modifications reliably.

Mitigation priorities

  • Harden and monitor administrative access to Windows systems so only authorized changes can affect protected system binaries and registry locations.
  • Ensure endpoint protection and logging policies capture file, registry, and process activity needed for investigation.
  • Use change-control and configuration monitoring for sensitive Windows system paths and registry keys.
  • Prepare incident response playbooks to triage suspected accessibility-binary or IFEO tampering, including host isolation and validation of system integrity where appropriate.
  • Maintain compliance evidence showing monitoring coverage, alert review, and response procedures for sensitive Windows configuration changes.
Analyst notes and limits

This is a detection analytic object, not a full ATT&CK technique entry. The supplied data identifies Windows as the platform and describes observable behaviors involving accessibility binaries, IFEO-style registry redirection, and SYSTEM-context execution from the login screen. No tactics, related techniques, groups, software, campaigns, or explicit detection pseudocode were supplied.

Official detection content was not provided, and no relationship context was supplied. This take therefore cannot infer adversary attribution, active exploitation, business impact, or guaranteed detection coverage. Local validation is required to determine whether the organization collects the necessary Windows endpoint telemetry and can distinguish malicious tampering from authorized administrative or accessibility-related activity.

Official MITRE ATT&CK definition

Analytic 0094

Defenders can observe suspicious replacement or tampering of system accessibility binaries (e.g., utilman.exe, sethc.exe, osk.exe) and anomalous modifications to registry keys used to redirect accessibility programs (such as IFEO keys). Additionally, execution of cmd.exe or other suspicious binaries triggered from the login screen by SYSTEM can be correlated as part of a behavior chain.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a291e8e6ebc1a0eb...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a291e8e6ebc1…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0094
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use