AN0265: Analytic 0265
Account attribute changes (e.g., password set, group membership, servicePrincipalName, logon hours) correlated with unusual process lineage or timing, indicating privilege escalation or persistence via valid accounts.
Analyst context for executives and security teams
This analytic matters because changes to Windows account attributes can quietly alter who has access, when they can log on, or how an account can be used. When those changes occur at unusual times or from unusual process lineage, they may indicate that valid accounts are being prepared for privilege escalation or persistence. For leaders, the value is not just detecting a directory change; it is validating whether identity administration activity can be distinguished from suspicious account manipulation.
Executive priority
Prioritize this as an identity control and incident readiness question: can the organization prove which account attributes changed, who or what changed them, from where, and whether the activity matched expected administrative workflows? This supports business continuity, audit evidence, and faster incident decisions when privileged access or account persistence is suspected. Because the object is Windows-focused and no relationships or tactic mapping were supplied, priority should be based on the organization’s dependence on Windows identity infrastructure and the maturity of identity-change monitoring.
Technical view
For SOC, detection engineering, and IR teams, validate visibility into Windows account attribute changes such as password resets, group membership changes, servicePrincipalName updates, and logon-hours changes. Correlate those events with process lineage and timing to distinguish normal administration from unusual execution context or off-hours activity. Since no official detection logic is provided, teams should build and test environment-specific baselines for authorized identity administration paths, expected tooling, service accounts, administrative hosts, and maintenance windows.
Likely telemetry
- Windows account-management and directory change events
- Group membership change records
- Password set or reset events
- servicePrincipalName modification records
- Logon-hours or account restriction change records
Detection direction
- Validate that account attribute changes are collected with enough detail to identify actor, target account, attribute changed, source host, and time.
- Correlate identity changes with process lineage where available, especially changes initiated outside expected administrative tools or hosts.
- Baseline normal timing for account administration and review changes during unusual hours or outside maintenance windows.
- Tune for known help desk, identity management, and automated provisioning workflows to reduce false positives.
- Pay special attention to high-risk attributes such as privileged group membership, password set/reset activity, servicePrincipalName changes, and logon-hour changes.
Mitigation priorities
- Define and enforce approved workflows for Windows account attribute administration.
- Limit who can change sensitive account attributes and privileged group membership.
- Review privileged and service-account permissions regularly.
- Ensure logging is enabled and retained for account-management and relevant process activity.
- Use change-control evidence to separate expected administration from suspicious changes.
Analyst notes and limits
The supplied object is a detection analytic, not a full ATT&CK technique entry. Its practical value is in correlating Windows account attribute changes with unusual process lineage or timing. No tactic, relationship context, procedure examples, or formal detection logic were supplied, so local implementation must be based on environment-specific identity administration patterns.
Official detection content was not provided. Tactics were not specified, and no relationships were supplied. This take is limited to the official description, Windows platform field, and external reference for AN0265; it does not assert active exploitation, attribution, or existing detection coverage.
Analytic 0265
Account attribute changes (e.g., password set, group membership, servicePrincipalName, logon hours) correlated with unusual process lineage or timing, indicating privilege escalation or persistence via valid accounts.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7d77a4a2994e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0265Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.