AN0334: Analytic 0334

Correlated user account modification (reset, disable, deletion) events with anomalous process lineage (e.g., PowerShell or net.exe from an interactive session), especially outside of IT admin change windows or by non-admin users.

EnterpriseAN0334AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

Analytic AN0334 is about spotting risky Windows account changes—such as resets, disables, or deletions—when they occur with suspicious process context, such as PowerShell or net.exe launched from an interactive session. For leaders, the value is not just detecting an account change; it is confirming whether identity-impacting actions are expected, authorized, and explainable during a real incident or audit review.

Executive priority

Prioritize this analytic where Windows account administration affects business continuity, incident containment, and audit evidence. Unauthorized or poorly governed account modification can disrupt access, hide activity, or weaken recovery confidence. Security leaders should ask whether account-change monitoring is tied to approved change windows, administrator role validation, and SOC escalation procedures for non-admin or anomalous process-driven activity.

Technical view

For SOC, detection engineering, and IR teams, validate whether Windows user account modification events can be correlated with process lineage and user context. The supplied analytic specifically calls out reset, disable, and deletion events, anomalous parent/child process relationships such as PowerShell or net.exe from an interactive session, activity outside IT admin change windows, and actions by non-admin users. Because no official detection logic is provided, teams should build and test correlation logic using local Windows security, identity, endpoint, and change-management data.

Likely telemetry

Windows user account modification events covering account reset, disable, and deletion activity
Endpoint process creation telemetry with command/process lineage for PowerShell, net.exe, and parent interactive sessions
User identity and privilege context, including whether the actor is an administrator or non-admin user
Interactive logon/session context tied to the process and user performing the change
Approved IT administration windows or change-management records for correlation

Detection direction

Correlate account modification events with process lineage rather than alerting on account changes alone.
Tune for higher priority when PowerShell or net.exe is launched from an interactive session and is temporally linked to account reset, disable, or deletion events.
Compare activity against authorized admin users and approved change windows to reduce false positives from normal IT operations.
Validate coverage for non-admin initiated account changes or failed/blocked attempts where telemetry is available.
Document blind spots where endpoint process telemetry, Windows account-change auditing, or change-window data is incomplete.

Mitigation priorities

Ensure Windows account modification auditing is enabled and retained long enough for investigation and compliance evidence.
Restrict account administration rights to approved personnel and review whether non-admin users can trigger relevant account changes.
Maintain defined IT admin change windows and integrate them into SOC triage or detection enrichment where possible.
Harden administrative workflows so PowerShell and net.exe usage for account management is expected, logged, and reviewable.
Test incident response playbooks for suspicious account disable, deletion, or reset activity, including rapid validation of business impact and restoration needs.

Analyst notes and limits

This is a detection analytic object for Windows in the enterprise ATT&CK domain. Its decision value depends on correlation quality: account-change events alone are often legitimate, while process lineage, user privilege, interactive session context, and change-window data determine whether the behavior is suspicious.

The supplied ATT&CK object does not include tactics, relationships, aliases, labels, or official detection logic. No claims can be made about active exploitation, attribution, prevalence, or guaranteed detection. Local Windows audit policy, endpoint visibility, identity governance data, and change-management maturity are required to operationalize the analytic.

Official MITRE ATT&CK definition

Analytic 0334

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: 6e7fb425bb0b9ff1...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`6e7fb425bb0b…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0334
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use