AN0199: Analytic 0199

Detects adversary use of logon script configuration via Group Policy or user object attributes, followed by script execution post-authentication. Behavior includes modification of script path or file, then process execution under user logon context.

EnterpriseAN0199AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

This analytic matters because logon scripts can turn normal Windows authentication into automatic code execution for a user session. If an attacker can change Group Policy or user logon-script attributes, they may gain a reliable way to run scripts after users sign in. For leaders, the key issue is whether identity, Windows administration, and endpoint monitoring can prove who changed logon-script configuration and what executed afterward.

Executive priority

Prioritize this as a Windows identity and endpoint control-validation item. The business risk is not just script execution; it is unauthorized administrative change to logon behavior that can affect many users if Group Policy is involved. Security leaders should ask whether changes to logon-script paths and files are monitored, whether privileged change activity is reviewable, and whether incident responders can quickly link a configuration change to subsequent user-context process execution.

Technical view

For SOC and detection teams, validate visibility across two parts of the behavior described by MITRE: modification of logon script configuration via Group Policy or user object attributes, and later process execution under the user logon context. Because no official detection logic or ATT&CK tactics are supplied, treat AN0199 as a detection objective rather than a ready-to-deploy rule. Correlation should focus on Windows directory or Group Policy changes involving logon script path/file configuration followed by script or child-process execution after authentication.

Likely telemetry

Windows security and directory-service audit events for user object attribute changes
Group Policy change logs or equivalent policy-management audit records
File modification events for logon script locations where available
Endpoint process creation telemetry showing script execution and parent/child process context
Authentication or logon session telemetry to associate execution with post-authentication user context

Detection direction

Confirm that logging captures both configuration change and execution; either side alone may miss the full behavior.
Tune correlation around changes to logon-script path or script file followed by execution in the affected user logon context.
Review authorized administrative workflows to reduce false positives from legitimate Group Policy or account-management changes.
Pay attention to blind spots where directory changes are logged but endpoint process creation is not, or where endpoint execution is visible but the preceding policy/user-object change is not retained.
Because no relationship context is supplied, avoid assuming specific adversary groups, campaigns, or techniques beyond the stated analytic behavior.

Mitigation priorities

Restrict and regularly review who can modify Group Policy and user logon-script attributes.
Require change control and audit evidence for logon script configuration and script-file updates.
Protect and monitor storage locations used for logon scripts, including write permissions and file integrity where feasible.
Ensure endpoint and identity logging retention is sufficient to reconstruct configuration-change-to-execution timelines during incident response.
Periodically test whether SOC workflows can detect and investigate unauthorized logon-script changes on Windows systems.

Analyst notes and limits

AN0199 is a detection analytic in the enterprise ATT&CK domain for Windows. The supplied MITRE description is specific enough to guide control validation, but it does not include official detection logic, tactics, mitigations, or relationships. The most useful local validation is whether identity administration logs, Group Policy audit trails, file-change records, authentication context, and endpoint process telemetry can be joined reliably.

This take is limited to the supplied official STIX fields, external reference, and absence of relationships. It does not assert active exploitation, attribution, impact, or guaranteed detection coverage. Local Windows configuration, audit policy, retention, and administrative processes are required to determine actual exposure and detection quality.

Official MITRE ATT&CK definition

Analytic 0199

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: e16d291b242fb51c...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`e16d291b242f…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0199
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use