AN0975: Analytic 0975

Correlate registry modifications (e.g., UAC bypass registry keys), unusual parent-child process relationships (e.g., control.exe spawning cmd.exe), and unsigned elevated process executions with non-standard tokens or elevation flags.

EnterpriseAN0975AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

AN0975 is a Windows detection analytic focused on correlating signals that often matter when a process gains or appears to gain elevated privileges: registry changes associated with UAC bypass behavior, unusual parent-child process chains, and unsigned elevated executions with abnormal token or elevation attributes. For leaders, the value is not the single alert; it is whether the SOC can connect identity, endpoint, and process evidence quickly enough to distinguish routine administration from suspicious elevation activity.

Executive priority

Prioritize this analytic as a validation point for Windows privilege-control monitoring and incident readiness. It helps answer whether the organization can produce audit-ready evidence around elevated execution, investigate suspicious administrative behavior, and detect weak points in endpoint hardening or identity governance. Budget and control decisions should focus on telemetry completeness, correlation quality, and response procedures for suspicious elevation events rather than assuming one registry or process event is sufficient.

Technical view

SOC and detection teams should validate that Windows endpoint telemetry can correlate registry modifications, parent-child process relationships such as control.exe spawning cmd.exe, code-signing status for elevated processes, and token or elevation flag details. Because no ATT&CK tactics or relationship context are supplied, this should be treated as a detection analytic for suspicious Windows elevation patterns, not as proof of a specific technique or intrusion stage. IR teams should ensure triage playbooks can pivot from the initial event to user context, process lineage, registry timeline, binary signing status, and elevation metadata.

Likely telemetry

Windows registry modification events, especially changes to keys associated with UAC bypass patterns
Process creation telemetry with full parent-child lineage
Process elevation metadata, including token type or elevation flags where available
Code-signing or unsigned binary execution data
User and session context for the elevated process

Detection direction

Validate correlation logic across registry modification, process lineage, unsigned elevated execution, and abnormal token or elevation attributes rather than alerting on each signal in isolation.
Tune for known administrative tools and legitimate software installers that may create unusual process trees or elevated executions.
Review whether telemetry captures parent and child process names, command context, signing status, user context, and elevation metadata consistently across Windows assets.
Investigate blind spots where endpoint logging does not retain registry detail or token/elevation attributes, because those gaps materially weaken this analytic.
Use the supplied example of control.exe spawning cmd.exe as a pattern to validate process-tree visibility, not as the only suspicious sequence.

Mitigation priorities

Ensure Windows endpoint logging and EDR configuration capture registry modifications, process lineage, signing status, and elevation metadata.
Harden and govern local administrative privileges so suspicious elevation events have clear ownership and reduced blast radius.
Maintain allowlists or baselines for legitimate elevated administrative activity to reduce false positives while preserving visibility.
Document IR procedures for suspected suspicious elevation, including containment, user validation, registry review, and process lineage analysis.
Use analytic validation results as compliance and audit evidence for monitoring of privileged activity where applicable.

Analyst notes and limits

This object is a detection analytic, not a full ATT&CK technique entry. The strongest operational use is as a coverage test for Windows privilege-related telemetry correlation. The supplied fields support discussion of registry modifications, unusual parent-child processes, unsigned elevated processes, and token/elevation indicators, but do not provide tactic mapping, relationships, or a formal detection block.

No official detection text, tactics, aliases, labels, or relationship context were supplied. The take does not infer active exploitation, adversary attribution, business impact, or guaranteed detection coverage. Local environment baselines and available Windows telemetry determine whether this analytic is practical and reliable.

Official MITRE ATT&CK definition

Analytic 0975

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: dc4cb96c727f6c3c...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`dc4cb96c727f…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0975
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use