Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0226: Analytic 0226

Execution of trusted, Microsoft-signed binaries such as `rundll32.exe`, `msiexec.exe`, or `regsvr32.exe` used to execute externally hosted, unsigned, or suspicious payloads through command-line parameters or network retrieval.

EnterpriseAN0226AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic focuses on a common defensive problem on Windows: trusted Microsoft-signed utilities such as rundll32.exe, msiexec.exe, and regsvr32.exe can be used to run externally hosted, unsigned, or suspicious payloads. For leaders, the issue is not that these binaries are malicious by themselves, but that normal administrative tools can create a gap between allowlisting, endpoint monitoring, and SOC triage if command-line and network context are not collected and reviewed together.

Executive priority

Prioritize this as a control-validation topic for Windows endpoint resilience and incident readiness. Security leaders should ask whether the organization can distinguish legitimate use of signed Microsoft binaries from suspicious use involving unusual command-line parameters, unsigned payloads, or network retrieval. This matters for budget and audit decisions because prevention alone may not be sufficient if trusted binaries are broadly allowed without supporting telemetry, alert logic, and response playbooks.

Technical view

For SOC, detection engineering, and IR teams, validate visibility on Windows process execution for rundll32.exe, msiexec.exe, regsvr32.exe, command-line arguments, parent-child process context, file signing status where available, and network activity tied to those processes. Because the official object does not provide detection logic or tactic mapping, teams should treat AN0226 as a behavior-validation requirement rather than a ready-to-run rule. Tuning should focus on suspicious combinations: trusted Microsoft-signed binaries executing externally hosted, unsigned, or otherwise suspicious payloads through command-line parameters or network retrieval.

Likely telemetry

  • Windows process creation events for rundll32.exe, msiexec.exe, and regsvr32.exe
  • Full command-line arguments for process execution
  • Parent and child process relationships
  • Network connection or retrieval telemetry associated with these binaries
  • File metadata and code-signing status for payloads where available

Detection direction

  • Confirm that Windows endpoint telemetry captures command-line parameters for the named binaries; without command-line visibility, this analytic loses much of its value.
  • Correlate process execution with network retrieval activity to identify cases where trusted binaries interact with externally hosted payloads.
  • Validate whether file reputation or signing-status data is available for payloads executed or retrieved by these binaries.
  • Tune carefully for legitimate administrative and software-installation activity, especially for msiexec.exe, to reduce false positives.
  • Review blind spots where allowlisting or trust policies permit Microsoft-signed binaries without inspecting their arguments or retrieved content.

Mitigation priorities

  • Establish a baseline of legitimate use for rundll32.exe, msiexec.exe, and regsvr32.exe on Windows systems.
  • Ensure endpoint logging, EDR, or SIEM pipelines retain process command-line, parent-child, network, and file-signing context needed for investigation.
  • Review application control and allowlisting policies so that trust in Microsoft-signed binaries does not automatically bypass scrutiny of parameters or retrieved payloads.
  • Define SOC triage guidance for suspicious use of these binaries, including how to review command-line arguments, network destinations, and payload signing status.
  • Use findings to support compliance evidence around monitoring coverage, endpoint control validation, and incident response readiness.
Analyst notes and limits

AN0226 is a detection analytic in the enterprise ATT&CK domain for Windows. The supplied official description is specific about trusted Microsoft-signed binaries and suspicious payload execution via command-line parameters or network retrieval, but no tactics, relationships, or official detection logic were provided. The most useful Glexia application is therefore coverage assessment: can the organization see and investigate the required process, command-line, file, and network evidence?

This take is limited to the supplied STIX fields, external reference, and absence of relationship context. It does not assert active exploitation, attribution, impact, or guaranteed detection. Local environment baselines are required to separate legitimate administrative use from suspicious behavior.

Official MITRE ATT&CK definition

Analytic 0226

Execution of trusted, Microsoft-signed binaries such as `rundll32.exe`, `msiexec.exe`, or `regsvr32.exe` used to execute externally hosted, unsigned, or suspicious payloads through command-line parameters or network retrieval.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
5fd3e35bcf95245a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 5fd3e35bcf95…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0226
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use