Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0455: Analytic 0455

Cause→effect chain: (1) a user or service spawns a shell/PowerShell that queries local/domain password policy via commands/cmdlets (e.g., `net accounts`, `Get-ADDefaultDomainPasswordPolicy`, `secedit /export`); (2) optional directory/LDAP reads from DCs; (3) same principal performs adjacent Discovery or credential-related actions within a short window. Correlate sysmon process creation with PowerShell ScriptBlock and Security logs.

EnterpriseAN0455AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN0455 is a Windows detection analytic for identifying when an account checks local or domain password policy and then performs nearby discovery or credential-related activity. For leaders, the value is not that password policy lookup is always malicious; it is that this behavior can help distinguish routine administration from activity that may precede credential abuse, account targeting, or incident scoping decisions.

Executive priority

Prioritize this analytic where Active Directory and Windows account policy are important to business continuity and audit evidence. Security leaders should ask whether SOC teams can correlate process, PowerShell, Windows Security, and domain controller activity by the same principal within a short time window. The business decision value is in validating identity-monitoring readiness, not treating a single policy query as a confirmed incident.

Technical view

For Windows environments, validate correlation across process creation, PowerShell ScriptBlock logging, and Security logs. The analytic describes a cause-effect chain: a user or service launches a shell or PowerShell process to query local or domain password policy, optional directory or LDAP reads occur against domain controllers, and the same principal performs adjacent discovery or credential-related actions shortly afterward. Because no ATT&CK tactic or relationship context is supplied, teams should map the analytic locally to relevant identity, discovery, and credential-monitoring use cases rather than assuming a specific ATT&CK technique linkage.

Likely telemetry

  • Windows process creation telemetry, including Sysmon process creation where deployed
  • PowerShell ScriptBlock logging
  • Windows Security logs
  • Domain controller directory or LDAP read evidence where available
  • User or service account identity context for correlating actions by the same principal

Detection direction

  • Do not alert solely on password policy queries; tune for the chained pattern of policy lookup followed by nearby discovery or credential-related behavior by the same principal.
  • Baseline legitimate administrative, help desk, compliance, and configuration-management activity that may query password policy.
  • Validate that shell and PowerShell process execution is captured with command-line detail sufficient to identify password policy queries.
  • Confirm PowerShell ScriptBlock logging is enabled and retained where this analytic is expected to operate.
  • Ensure domain controller and Security logs can be joined to endpoint telemetry using account, host, and time fields.

Mitigation priorities

  • First, ensure logging prerequisites are enabled and retained for Windows process creation, PowerShell, and Security events.
  • Second, define approved administrative workflows and accounts that legitimately query password policy so detections can be tuned without suppressing suspicious context.
  • Third, review least-privilege and service-account governance for principals that can perform directory reads or broad discovery.
  • Fourth, use findings from this analytic to improve incident response playbooks for identity investigation, including account timeline reconstruction and domain controller log review.
  • Fifth, maintain audit evidence showing that password policy visibility, privileged activity, and identity telemetry are monitored consistently.
Analyst notes and limits

This object is a detection analytic, not a technique, and the supplied record contains no relationships. The strongest use is as a correlation pattern for Windows identity monitoring: policy lookup plus adjacent discovery or credential-related activity. Local baselining is essential because the initial behavior can be routine administration.

Official detection content is not provided, tactics are not specified, and no relationship context is supplied. The object supports Windows only. This take does not infer active exploitation, attribution, guaranteed detection coverage, or a specific ATT&CK technique beyond the supplied analytic description.

Official MITRE ATT&CK definition

Analytic 0455

Cause→effect chain: (1) a user or service spawns a shell/PowerShell that queries local/domain password policy via commands/cmdlets (e.g., `net accounts`, `Get-ADDefaultDomainPasswordPolicy`, `secedit /export`); (2) optional directory/LDAP reads from DCs; (3) same principal performs adjacent Discovery or credential-related actions within a short window. Correlate sysmon process creation with PowerShell ScriptBlock and Security logs.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
44160e0a679cde34...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 44160e0a679c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0455
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use