AN0871: Analytic 0871

Multi-event correlation of Registry creation under Active Setup with anomalous execution of processes at user logon. Behavioral patterns include creation/modification of HKLM Active Setup keys with non-standard StubPath values, followed by process execution from uncommon paths, unsigned binaries, or unusual parent-child lineage post-user login.

EnterpriseAN0871AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

AN0871 is a Windows detection analytic for spotting suspicious use of Active Setup registry keys that is followed by unusual process execution when a user logs on. The business value is that it focuses on a persistence-style pattern that can turn a single endpoint change into repeated execution in user sessions, making it relevant to incident containment, endpoint hardening, and evidence that Windows registry and process telemetry are usable for investigations.

Executive priority

Prioritize this as a control-validation item for Windows endpoint resilience and SOC readiness. Leaders should ask whether the organization can correlate registry changes under Active Setup with user-logon process activity, whether endpoint logging is retained long enough for incident response, and whether unsigned or uncommon-path binaries are reviewed with enough context to avoid both missed persistence and alert fatigue.

Technical view

For SOC and detection engineering teams, validate multi-event correlation on Windows between creation or modification of HKLM Active Setup keys, non-standard StubPath values, and subsequent process execution after user logon. Useful context includes process path rarity, binary signing status, and parent-child lineage. Because no official detection logic is supplied, teams should treat AN0871 as a behavioral design pattern rather than a ready-to-deploy rule and tune it against known administrative, software deployment, and logon initialization activity.

Likely telemetry

Windows registry creation and modification events for HKLM Active Setup locations
Registry value data for StubPath entries
User logon events or session-start context
Process creation events after user logon
Process command line, image path, parent process, and parent-child lineage

Detection direction

Confirm telemetry can link registry changes to later user-logon process execution on the same Windows host and user context where applicable.
Baseline legitimate Active Setup keys and StubPath values used by operating system components, enterprise software, and deployment tooling.
Prioritize anomalies involving non-standard StubPath values, uncommon execution paths, unsigned binaries, or unusual parent-child lineage after login.
Tune for false positives from software installation, patching, profile initialization, and endpoint management activity.
Because ATT&CK provides no formal detection logic and no relationship context, validate thresholds and enrichment locally before treating alerts as high confidence.

Mitigation priorities

Harden and monitor permissions around HKLM Active Setup registry locations according to least-privilege principles.
Maintain endpoint logging for registry changes, user logons, process creation, and code-signing context to support investigation and compliance evidence.
Use allowlisting, software control, or application governance where appropriate to reduce execution from uncommon or untrusted paths.
Review administrative and software deployment processes that legitimately modify Active Setup so detections can distinguish approved change from suspicious persistence behavior.
Ensure incident response playbooks include registry persistence review and post-logon execution analysis on affected Windows systems.

Analyst notes and limits

This analytic is service-relevant for managed detection, incident response readiness, endpoint hardening, and audit evidence because it depends on correlating multiple endpoint event classes rather than a single indicator. The supplied object identifies Windows as the platform and describes the behavioral pattern, but it does not specify tactics, related techniques, groups, malware, campaigns, or a concrete detection query.

The official detection field is not provided, tactics are not specified, and no relationships were supplied. This take is therefore limited to the official description and external reference for AN0871. Local telemetry quality, retention, endpoint configuration, and enterprise software baselines are required to determine practical detection coverage and alert severity.

Official MITRE ATT&CK definition

Analytic 0871

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: 905b032c5980021a...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`905b032c5980…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0871
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use