AN0520: Analytic 0520
Monitors sequences involving deletion/modification of logs, registry keys, scheduled tasks, or prefetch files following suspicious process activity or elevated access escalation.
Analyst context for executives and security teams
Analytic 0520 is a Windows-focused detection analytic for suspicious cleanup or persistence-hiding activity: changes or deletion of logs, registry keys, scheduled tasks, or prefetch files after suspicious process activity or elevated access. For leaders, the value is not that any single file or registry change is automatically malicious, but that these sequences can indicate an intruder or unauthorized administrator attempting to reduce evidence, hide execution, or obscure follow-on activity.
Executive priority
Prioritize this analytic as an incident-readiness and audit-evidence control. If Windows endpoints and servers do not retain process, privilege, registry, scheduled task, log, and prefetch-related evidence, responders may lose the timeline needed to scope an intrusion or prove what happened. Security leaders should ask whether SOC coverage can correlate suspicious execution with later evidence tampering, and whether retention policies preserve enough data for investigations.
Technical view
Validate this analytic on Windows telemetry by correlating suspicious process activity or elevated access escalation with subsequent deletion or modification of logs, registry keys, scheduled tasks, or prefetch files. Because ATT&CK did not provide a detection implementation, teams should define local logic, time windows, and severity rules. Focus on sequence-based detection rather than isolated events, and test whether endpoint, Windows event, and registry/task monitoring sources are complete enough to reconstruct the chain.
Likely telemetry
- Windows process creation and command-line telemetry
- Privilege or elevated access indicators
- Windows event log clear/delete/modify events where available
- Registry key creation, modification, and deletion telemetry
- Scheduled task creation, modification, and deletion telemetry
Detection direction
- Build correlation around suspicious process activity followed by log, registry, scheduled task, or prefetch modification/deletion.
- Tune for administrative maintenance tools and approved software deployment activity to reduce false positives.
- Validate whether events are still captured when local logs are deleted or modified; forward logs centrally where possible.
- Review alert timing windows so cleanup activity shortly after elevated access is not missed.
- Because no tactic or relationship context is supplied, map detections to local incident categories and relevant ATT&CK techniques during internal engineering.
Mitigation priorities
- Ensure centralized logging and retention so local log deletion does not remove investigative evidence.
- Limit and monitor elevated access capable of changing logs, registry keys, scheduled tasks, and forensic artifacts.
- Harden administrative workflows so legitimate maintenance activity is attributable and distinguishable from suspicious cleanup.
- Maintain endpoint telemetry coverage for process, registry, scheduled task, and file-system changes on Windows systems.
- Include this sequence in incident response playbooks for triage, scoping, and evidence preservation.
Analyst notes and limits
This object is a detection analytic, not a full ATT&CK technique entry. The supplied description supports a Windows sequence-detection use case centered on suspicious activity followed by evidence or configuration modification. No relationships, aliases, labels, tactics, or official detection logic were supplied, so local engineering decisions are required.
The official detection field is not provided, and no relationship context is supplied. This take does not assert active exploitation, attribution, impact, or guaranteed detection coverage. Applicability is limited to the supplied platform: Windows.
Analytic 0520
Monitors sequences involving deletion/modification of logs, registry keys, scheduled tasks, or prefetch files following suspicious process activity or elevated access escalation.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 294f16948b16… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0520Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.