AN1032: Analytic 1032

Correlation of Registry key creation/modification events under known Run/Startup keys with new or unusual binary paths or script-based payloads. Multi-event detection includes registry modification followed by process execution from non-standard directories or abnormal parent-child process relationships.

EnterpriseAN1032AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

Analytic 1032 is about finding Windows systems where Run or Startup registry locations are changed to point to new, unusual, or script-based payloads, especially when that change is followed by suspicious process execution. For leaders, the value is not just detecting a registry edit; it is validating whether the organization can spot unauthorized startup behavior before it becomes a recurring foothold that complicates incident containment and recovery.

Executive priority

Prioritize this analytic as a Windows endpoint resilience and incident-readiness control. It helps answer whether SOC and IR teams can prove visibility into autorun-related registry changes, correlate those changes with later process execution, and distinguish expected software behavior from abnormal startup entries. This is useful for control assurance, audit evidence around endpoint monitoring, and decisions about endpoint detection coverage and response playbooks.

Technical view

SOC and detection teams should validate collection and correlation for Windows registry key creation or modification events under known Run/Startup keys, then link those events to subsequent process execution. The strongest validation is multi-event: a registry modification involving a new or unusual binary path or script-based payload, followed by execution from a non-standard directory or an abnormal parent-child process relationship. Because the supplied ATT&CK object provides no tactic field and no standalone detection logic, local baselining is required to define what is unusual in the environment.

Likely telemetry

Windows registry key creation events for known Run/Startup locations
Windows registry key modification events for known Run/Startup locations
Process creation telemetry following the registry change
Process image path and command-line metadata where available
Parent-child process relationship data

Detection direction

Confirm that registry creation and modification events for Run/Startup keys are actually collected from Windows endpoints.
Correlate registry changes with later process execution rather than alerting only on single registry writes.
Tune for new or unusual binary paths, script-based payloads, execution from non-standard directories, and abnormal parent-child process relationships.
Establish allowlists or baselines for legitimate software installers, endpoint agents, updaters, and enterprise management tools that commonly modify startup locations.
Validate alert fidelity with local environment data because the ATT&CK object does not provide explicit detection logic, thresholds, timing windows, or false-positive guidance.

Mitigation priorities

Ensure Windows endpoint monitoring captures registry and process activity needed for correlation.
Harden and govern software installation and startup-entry management so expected changes are explainable.
Use least-privilege and change-control practices to reduce unauthorized modification of startup locations where operationally feasible.
Prepare IR triage steps to review the registry value, referenced path, payload type, parent process, and subsequent execution chain.
Maintain baselines of approved startup entries and known enterprise tools to support faster SOC decisions.

Analyst notes and limits

This take is based only on the supplied ATT&CK analytic fields. The object is a detection analytic for Windows and describes correlation of Run/Startup registry changes with unusual paths, script payloads, and process execution context. No relationships, tactic mapping, explicit detection content, or related techniques were supplied, so the guidance is framed as validation and control direction rather than a claim of coverage.

The official detection field is not provided, and no relationship context is supplied. ATT&CK does not provide environment-specific definitions for unusual paths, non-standard directories, abnormal parent-child relationships, or correlation windows in the supplied data. Teams must validate telemetry availability, baselines, and tuning in their own Windows environment.

Official MITRE ATT&CK definition

Analytic 1032

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: 777d0d0a058702c3...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`777d0d0a0587…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1032
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use