AN0626: Analytic 0626
Detects cloud-native software deployment or management (e.g., SSM Run Command, Intune) initiating script execution on endpoints outside expected org IDs, admin groups, or maintenance windows.
Analyst context for executives and security teams
This analytic matters because legitimate SaaS-based management tools can execute scripts at scale on endpoints. If those tools initiate script execution from unexpected organization IDs, admin groups, or outside approved maintenance windows, the event may represent misuse of trusted administration paths rather than a simple endpoint anomaly.
Executive priority
Security leaders should treat this as a control-validation question: do we know which cloud management services are authorized to run scripts, who can trigger them, and when they are allowed to operate? The business risk is operational disruption or unauthorized endpoint change through trusted management channels, so evidence of governance, logging, and approval boundaries is important for resilience and audit readiness.
Technical view
SOC and detection teams should validate whether SaaS management platforms that perform endpoint administration, such as the examples in the ATT&CK description, generate usable logs for script execution initiation, actor identity, organization or tenant context, admin group membership, target endpoint scope, and execution time. Because the official detection field is not provided and no tactic relationships are supplied, teams should treat AN0626 as a detection concept requiring local baselining rather than a complete rule.
Likely telemetry
- SaaS administration and audit logs for script execution or remote command actions
- Cloud-native endpoint management logs showing initiator, tenant or organization ID, target devices, and command metadata
- Identity and access records for admin group membership and privileged role assignments
- Change-management or maintenance-window records for authorized execution periods
- Endpoint telemetry confirming script start time, parent management agent, and affected host scope
Detection direction
- Baseline expected organization IDs, tenants, admin groups, and approved maintenance windows for SaaS-driven script execution.
- Alert on script execution initiated outside those expected boundaries, especially when the initiating identity or group is unusual for the target endpoint population.
- Tune for legitimate emergency maintenance and approved administrative exceptions to reduce false positives.
- Correlate SaaS-side initiation logs with endpoint-side execution evidence so the SOC can distinguish authorized management activity from suspicious use of trusted tooling.
- Identify blind spots where SaaS audit logs are not retained, admin group changes are not monitored, or maintenance-window data is not available to the detection pipeline.
Mitigation priorities
- Maintain an approved inventory of SaaS management platforms permitted to execute scripts on endpoints.
- Restrict script-execution permissions to defined administrative groups and review privileged membership regularly.
- Require documented maintenance windows or change approvals for broad endpoint script execution where operationally feasible.
- Ensure SaaS audit logging and endpoint telemetry are retained and available to detection and incident response teams.
- Periodically test whether unauthorized organization IDs, unexpected admin groups, or out-of-window executions would be visible to the SOC.
Analyst notes and limits
AN0626 is a detection analytic for SaaS platforms focused on cloud-native software deployment or management initiating script execution on endpoints outside expected organizational, administrative, or timing boundaries. No relationships or official detection logic were supplied, so implementation depends on local SaaS tooling, identity model, endpoint management architecture, and change-control data.
The ATT&CK object provides a description but no official detection details, no mapped tactics, and no relationship context. This take does not infer adversary use, impact, or coverage beyond the supplied analytic description.
Analytic 0626
Detects cloud-native software deployment or management (e.g., SSM Run Command, Intune) initiating script execution on endpoints outside expected org IDs, admin groups, or maintenance windows.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 015a513d23ad… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0626Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.