AN0983: Analytic 0983
Detects processes or binaries executed from trusted directories (e.g., System32) or using trusted names (e.g., svchost.exe) where the metadata, hash, or parent process does not align with legitimate activity patterns.
Analyst context for executives and security teams
This analytic matters because attackers and unwanted software often try to blend into Windows environments by running from trusted locations such as System32 or by using familiar process names such as svchost.exe. The business value is not in the name alone, but in validating whether the organization can distinguish legitimate Windows activity from lookalike execution based on metadata, file hash, and parent-process context.
Executive priority
Prioritize this as a Windows endpoint detection quality check for SOC and incident response readiness. Leaders should ask whether endpoint telemetry can prove when a trusted-looking binary is actually legitimate, whether analysts have enough context to make fast containment decisions, and whether exceptions for administrative tools or software deployment activity are governed and auditable.
Technical view
For Windows environments, validate detections that compare process execution from trusted directories or trusted process names against expected metadata, known-good hashes, and normal parent-child process relationships. Since no ATT&CK tactic or relationship context is supplied, treat this as a general detection analytic rather than a technique-specific control. SOC teams should test whether alerts include file path, image name, signer or metadata details where available, hash, command line, parent process, user context, and host context.
Likely telemetry
- Windows process creation events
- Executable image path and file name
- File hash values
- File metadata or signature-related attributes where collected
- Parent process name and path
Detection direction
- Baseline legitimate Windows processes in trusted directories, especially common system names such as svchost.exe, to reduce noisy alerts.
- Tune for mismatches between trusted-looking names or locations and unexpected metadata, unknown or changed hashes, or abnormal parent processes.
- Validate whether telemetry can distinguish legitimate operating system activity from copied, renamed, or masquerading binaries.
- Review false positives from software deployment tools, administrative scripts, security tools, and patching activity that may execute from trusted paths or spawn unusual process trees.
- Because no official detection logic is provided, convert the analytic into environment-specific rules and test them against known-good Windows behavior before relying on alert volume as a coverage measure.
Mitigation priorities
- Maintain reliable endpoint telemetry for Windows process execution, hashes, metadata, and parent-child relationships.
- Establish known-good baselines for critical Windows directories and common system process names.
- Use controlled software deployment and change-management records to support alert triage and exception handling.
- Investigate trusted-directory or trusted-name mismatches with incident response playbooks that verify file origin, hash reputation or internal allowlisting status, parent process, and host role.
- Periodically audit detection exceptions so masquerading-like behavior is not permanently suppressed.
Analyst notes and limits
This is a detection analytic object, not a technique or procedure description. Its decision value is strongest as a control validation: can defenders tell when a trusted Windows name or path is being abused or is inconsistent with legitimate execution patterns? Local baselines are essential because legitimate Windows and enterprise management activity can create unusual parent-child relationships.
The supplied ATT&CK object provides no tactic, no official detection logic, and no relationship context to techniques, groups, campaigns, or software. The assessment is limited to the Windows platform and the stated analytic description. Local telemetry, baselines, and approved software behavior are required to determine practical coverage and alert fidelity.
Analytic 0983
Detects processes or binaries executed from trusted directories (e.g., System32) or using trusted names (e.g., svchost.exe) where the metadata, hash, or parent process does not align with legitimate activity patterns.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 61bc64893a55… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0983Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.