Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1344: Analytic 1344

Behavioral chain: (1) a login from a third-party account or untrusted source network establishes an interactive/remote session; (2) the session acquires elevated privileges or accesses sensitive resources atypical for that account; (3) subsequent lateral movement or data access occurs from the same session/device. Correlate Windows logon events, token elevation/privileged use, and resource access with third-party context.

EnterpriseAN1344AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Analytic 1344 is a Windows-focused detection analytic for a risky behavioral chain: a third-party or otherwise untrusted login creates an interactive or remote session, that same session reaches elevated privileges or sensitive resources unusual for the account, and then lateral movement or data access follows from the same device or session. For leaders, the value is not a single alert; it is validating whether the organization can connect identity context, privilege use, and resource access quickly enough to recognize potentially dangerous third-party activity before it becomes a broader incident.

Executive priority

Prioritize this analytic where third-party access, remote administration, privileged accounts, or sensitive Windows resources are business-critical. It supports incident decision-making by asking: can we prove who logged in, from where, what privilege they obtained, and what they accessed next? It is also relevant to audit and compliance evidence because it depends on demonstrating that privileged third-party activity is monitored with sufficient context, not only that authentication logs exist.

Technical view

SOC and detection teams should validate correlation across Windows logon events, token elevation or privileged-use evidence, sensitive resource access, and subsequent lateral movement or data access from the same session or device. Because no ATT&CK tactic or relationship context is supplied, implementation should stay behavior-chain driven rather than mapped to a specific intrusion phase. Detection quality will depend on whether third-party account identity, trusted versus untrusted network context, session identifiers, device identity, and privileged access patterns are normalized and available for correlation.

Likely telemetry

  • Windows interactive and remote logon events
  • Windows session and device identifiers that allow activity to be tied to the same session or endpoint
  • Privilege elevation, token elevation, or privileged-use events
  • Sensitive resource access events
  • Evidence of lateral movement or data access from the same session/device

Detection direction

  • Validate that authentication, privilege-use, and resource-access telemetry can be correlated by account, device, source network, and session where available.
  • Baseline normal third-party account behavior so that sensitive resource access or privilege use can be identified as atypical for that account.
  • Tune for false positives from approved vendor support, maintenance windows, administrative jump hosts, and documented remote access workflows.
  • Look for blind spots where third-party identity context is missing, source networks are not classified, or Windows logs do not preserve enough session detail to connect the chain.
  • Escalate higher when the same session/device shows login from an untrusted or third-party context, elevated privilege or sensitive access, and follow-on lateral movement or data access.

Mitigation priorities

  • Inventory third-party accounts and define expected access paths, source networks, and permitted resources.
  • Limit third-party privileges to documented business need and review access to sensitive resources.
  • Ensure Windows authentication, privilege-use, and resource-access logging is enabled and retained long enough for incident reconstruction.
  • Require operational processes that distinguish approved third-party remote sessions from anomalous ones.
  • Use incident response playbooks that rapidly verify the session owner, access purpose, privilege use, and downstream resource access before containment decisions.
Analyst notes and limits

The official object provides a behavioral chain but no separate official detection text and no relationship context. Treat this as a correlation analytic requiring local enrichment: third-party account classification, trusted network definitions, sensitive resource inventory, and normal access baselines.

Coverage cannot be assumed from the ATT&CK object alone. The supplied fields only support Windows as the platform and do not specify tactics, related techniques, adversaries, software, or active exploitation. Local logging, identity governance, and network context determine whether this analytic is feasible and reliable.

Official MITRE ATT&CK definition

Analytic 1344

Behavioral chain: (1) a login from a third-party account or untrusted source network establishes an interactive/remote session; (2) the session acquires elevated privileges or accesses sensitive resources atypical for that account; (3) subsequent lateral movement or data access occurs from the same session/device. Correlate Windows logon events, token elevation/privileged use, and resource access with third-party context.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
ce0706fc61ab67d5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle ce0706fc61ab…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1344
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use