Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0240: Analytic 0240

Defender observes execution of commands like `tasklist`, `sc query`, `reg query`, or PowerShell WMI/Registry queries targeting known backup products (e.g., Veeam, Acronis, CrashPlan). Behavior often includes parent-child lineage involving PowerShell or cmd.exe with discovery syntax, and enumeration of services, directories, or registry paths tied to backup software.

EnterpriseAN0240AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about spotting Windows command-line activity that looks for backup software, such as queries for backup-related services, registry keys, directories, or running processes. For leaders, the practical value is resilience: backup discovery can be a warning sign that an actor is mapping recovery capabilities before taking further action. Even without a supplied ATT&CK tactic or detection logic, this is a useful control-validation point for SOC and incident response teams because backup visibility directly affects business continuity decisions.

Executive priority

Prioritize this as a resilience and incident-readiness use case. Security leaders should ask whether the organization can detect unusual enumeration of backup products on Windows endpoints, especially when launched through PowerShell or cmd.exe. The business decision is not only “can we alert,” but “can we quickly determine whether backup systems are being assessed, targeted, or merely administered,” because that distinction affects containment, recovery confidence, and audit evidence around operational resilience.

Technical view

Validate Windows telemetry for command execution involving utilities and patterns named in the object: tasklist, sc query, reg query, and PowerShell-based WMI or Registry queries. Focus on parent-child lineage involving PowerShell or cmd.exe and discovery syntax that references known backup products such as Veeam, Acronis, or CrashPlan. Because no official detection logic or tactic is supplied, teams should treat this as a behavioral analytic candidate and tune it against local administrative baselines for backup operations, endpoint management, and IT inventory scripts.

Likely telemetry

  • Windows process creation events with full command line arguments
  • Parent-child process lineage for cmd.exe and PowerShell
  • PowerShell execution and script block or module logging where available
  • Windows service query activity, including sc query usage
  • Registry query activity, including reg query and PowerShell Registry provider access

Detection direction

  • Confirm whether command-line logging captures the specific discovery syntax, not just process names.
  • Baseline legitimate backup administration, IT inventory, vulnerability scanning, and endpoint management scripts to reduce false positives.
  • Correlate backup-product keywords with parent process, user context, host role, and timing; activity on ordinary user workstations may carry different significance than activity on backup administration servers.
  • Look for clusters of enumeration across processes, services, registry paths, and directories rather than relying on one command in isolation.
  • Review blind spots where PowerShell logging, command-line capture, WMI telemetry, or registry access visibility is disabled or inconsistently retained.

Mitigation priorities

  • Ensure backup administration privileges are limited, reviewed, and separated from normal user activity.
  • Harden and monitor Windows systems that administer or host backup software, with special attention to command execution and administrative tooling.
  • Maintain reliable endpoint logging for process command lines, PowerShell, registry access, service queries, and WMI where operationally appropriate.
  • Document approved backup management tools and scripts so SOC teams can distinguish routine administration from unusual discovery.
  • Include backup-product enumeration in incident response triage playbooks so responders quickly assess whether recovery infrastructure may be at risk.
Analyst notes and limits

The object describes a Windows detection analytic for observing command execution that enumerates backup products. Its strongest decision value is as an early resilience signal and a control-coverage check around backup infrastructure visibility. Relationship context is not supplied, so no related ATT&CK techniques, groups, campaigns, or software should be inferred.

Official detection content is not provided, tactics are not specified, and there are no supplied relationships. The examples of backup products are illustrative from the object, not a complete list. Local environment data is required to tune product names, approved administrative behavior, and alert severity.

Official MITRE ATT&CK definition

Analytic 0240

Defender observes execution of commands like `tasklist`, `sc query`, `reg query`, or PowerShell WMI/Registry queries targeting known backup products (e.g., Veeam, Acronis, CrashPlan). Behavior often includes parent-child lineage involving PowerShell or cmd.exe with discovery syntax, and enumeration of services, directories, or registry paths tied to backup software.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
4e4862c006cb781d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 4e4862c006cb…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0240
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use