Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0488: Analytic 0488

A trusted/signed developer utility (parent) is executed in a non-developer context and (a) spawns suspicious children (e.g., powershell.exe, cmd.exe, rundll32.exe, regsvr32.exe, wscript.exe), (b) loads unsigned/user-writable DLLs, (c) writes and then runs a new PE from user-writable paths, and/or (d) immediately makes outbound network connections.

EnterpriseAN0488AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about spotting trusted, signed developer utilities behaving out of place on Windows systems. The business issue is not the developer tool itself, but whether a normally legitimate utility is being used in a non-developer context to launch suspicious programs, load questionable DLLs, create and execute new binaries from user-writable locations, or make immediate outbound connections. For leaders, this is a control-validation problem: can the organization distinguish approved developer activity from unexpected execution paths that may require investigation?

Executive priority

Prioritize this where Windows endpoints include both developer and non-developer populations. The value is in reducing blind spots around trusted-tool abuse and improving SOC triage quality: security teams need evidence showing which signed developer utilities are expected, where they should run, and what child processes, DLL loads, file writes, execution paths, and network connections are normal. This can support incident decision-making, audit evidence for endpoint monitoring, and budget decisions around endpoint telemetry quality and application governance.

Technical view

For Windows monitoring, validate whether telemetry can identify a signed or trusted developer utility as the parent process and correlate it with suspicious child processes such as powershell.exe, cmd.exe, rundll32.exe, regsvr32.exe, or wscript.exe; unsigned or user-writable DLL loads; writes followed by execution of a new PE from user-writable paths; and immediate outbound network connections. Because no official detection logic or ATT&CK tactic is supplied, teams should treat this as an analytic pattern to test and tune rather than a complete rule. Establish developer versus non-developer baselines before alerting broadly.

Likely telemetry

  • Windows process creation events with parent/child process context
  • Executable signing or trust metadata for parent utilities
  • DLL load telemetry including signing status and file path
  • File creation/write events, especially PE files in user-writable paths
  • Process execution events for newly written files

Detection direction

  • Validate that process telemetry preserves parent process names, paths, command lines, and signer/trust information.
  • Tune for non-developer contexts, since legitimate developer workstations may generate similar behavior.
  • Correlate multiple signals where possible: suspicious child process plus user-writable DLL load, new PE execution, or immediate network connection is higher value than a single weak indicator.
  • Review false positives from sanctioned build tools, scripting workflows, installers, software updaters, and administrative activity.
  • Confirm visibility into user-writable paths and DLL load events; these are common blind spots if endpoint logging is process-only.

Mitigation priorities

  • Define and maintain an inventory of approved developer utilities and where they are expected to run.
  • Separate developer and non-developer endpoint baselines to make suspicious use of trusted tools easier to identify.
  • Restrict or govern execution from user-writable paths where operationally feasible.
  • Harden endpoint monitoring to capture process, module load, file write/execution, and network activity on Windows systems.
  • Use application control or least-privilege policies to reduce unnecessary access to developer utilities on non-developer systems.
Analyst notes and limits

This object is a detection analytic, not a technique description. It focuses on Windows and trusted/signed developer utilities used in non-developer contexts. No relationships, tactic mapping, or official detection implementation were supplied, so the strongest use is as a validation checklist for endpoint telemetry, baselining, and triage logic.

The supplied ATT&CK fields do not identify specific developer utilities, tactics, adversary use, impact, or active exploitation. Detection text is not provided beyond the analytic description, and no relationships are supplied. Local environment knowledge is required to define what counts as a developer context, which utilities are approved, and what behavior is normal.

Official MITRE ATT&CK definition

Analytic 0488

A trusted/signed developer utility (parent) is executed in a non-developer context and (a) spawns suspicious children (e.g., powershell.exe, cmd.exe, rundll32.exe, regsvr32.exe, wscript.exe), (b) loads unsigned/user-writable DLLs, (c) writes and then runs a new PE from user-writable paths, and/or (d) immediately makes outbound network connections.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
aab23193aa7027ac...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle aab23193aa70…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0488
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use