Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0699: Analytic 0699

Execution of `pip.exe`, `npm.cmd`, or MSI installers within user context, followed by script interpreter startup (e.g., python.exe) or PowerShell with unusual child processes or file writes in `%APPDATA%`, `%TEMP%`, or `%LOCALAPPDATA%`. Defender correlates command-line install tools with Sysmon and Event Logs to trace downstream behavior.

EnterpriseAN0699AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting suspicious Windows user-context software installation activity: tools such as pip.exe, npm.cmd, or MSI installers run by a user, followed by script interpreters or PowerShell and unusual child processes or file writes in user-writable locations like %APPDATA%, %TEMP%, or %LOCALAPPDATA%. For leaders, the value is validating whether the SOC can connect an apparently routine install event to downstream behavior that may create operational or incident-response risk.

Executive priority

Prioritize this as a coverage validation item for Windows endpoint monitoring and incident triage. The business question is not simply whether install tools are allowed, but whether security teams can distinguish normal developer or user activity from unusual follow-on execution and file activity in user profile paths. This supports operational resilience, audit evidence for endpoint visibility, and faster incident decision-making when user-context execution is involved.

Technical view

For SOC and detection engineering teams, validate correlation across command-line install tool execution, process lineage, script interpreter or PowerShell startup, unusual child processes, and file writes under %APPDATA%, %TEMP%, and %LOCALAPPDATA%. Because no ATT&CK tactic or formal detection logic is supplied, treat this as a behavioral analytic requiring local baselining. Confirm that Windows endpoint telemetry can reconstruct parent-child process chains and command lines around pip.exe, npm.cmd, MSI installer activity, python.exe, and PowerShell.

Likely telemetry

  • Windows process creation events with command-line arguments
  • Parent-child process lineage from endpoint telemetry
  • Sysmon process creation and file creation/write events, where deployed
  • Windows Event Logs relevant to process and installer activity
  • File write telemetry for %APPDATA%, %TEMP%, and %LOCALAPPDATA%

Detection direction

  • Correlate user-context execution of pip.exe, npm.cmd, or MSI installers with subsequent script interpreter or PowerShell activity.
  • Tune against expected software installation, developer workflows, and administrative packaging activity to reduce false positives.
  • Focus review on unusual child processes and file writes in user-writable directories rather than installer execution alone.
  • Validate that telemetry preserves command line, user context, process ancestry, and file path details; without these fields, this analytic will be weak.
  • Use local baselines because the supplied ATT&CK object does not provide a formal detection query, thresholds, or tactic mapping.

Mitigation priorities

  • Establish visibility first: ensure Windows endpoints collect process, command-line, lineage, and relevant file-write telemetry.
  • Review policy for user-context software installation and script interpreter use, especially where business roles do not require it.
  • Limit unnecessary execution from user-writable paths where feasible through standard endpoint hardening controls.
  • Document approved developer and administrative installation workflows so SOC tuning can separate expected activity from suspicious patterns.
  • Include this behavior in incident-response playbooks for triaging suspicious user-context execution chains.
Analyst notes and limits

This is a detection analytic object, not a technique description. The strongest operational use is as a validation checklist for Windows endpoint telemetry and SOC correlation logic. The relationship context is empty, so no related ATT&CK techniques, groups, software, or campaigns are inferred.

The official detection field is not provided, tactics are not specified, and no relationships are supplied. This take is limited to the official description, Windows platform scope, and the external MITRE reference. Local environment baselines are required to determine what is unusual.

Official MITRE ATT&CK definition

Analytic 0699

Execution of `pip.exe`, `npm.cmd`, or MSI installers within user context, followed by script interpreter startup (e.g., python.exe) or PowerShell with unusual child processes or file writes in `%APPDATA%`, `%TEMP%`, or `%LOCALAPPDATA%`. Defender correlates command-line install tools with Sysmon and Event Logs to trace downstream behavior.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
aee112f9a557c496...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle aee112f9a557…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0699
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use