AN1428: Analytic 1428
Detects the execution of scripting or command interpreters (e.g., powershell.exe, cmd.exe, wscript.exe) outside expected administrative time windows or from abnormal user contexts, often followed by encoded/obfuscated arguments or secondary execution events.
Analyst context for executives and security teams
AN1428 is a Windows-focused detection analytic for spotting scripting or command interpreters, such as PowerShell, cmd, or Windows Script Host, running at unusual times or under abnormal user contexts, especially when paired with encoded or obfuscated arguments or follow-on process execution. Its business value is in validating whether the SOC can distinguish legitimate administration from suspicious script-driven activity before an incident depends on that evidence.
Executive priority
Prioritize this analytic where Windows administration, help desk activity, automation, or privileged access are material to operations. Leaders should ask whether administrative activity has defined time windows, expected user roles, and auditable exceptions. Without those baselines, this type of detection can generate noise or miss meaningful misuse, weakening incident response decisions, compliance evidence, and confidence in identity and endpoint control coverage.
Technical view
For SOC and detection engineering teams, validate Windows process execution visibility for scripting and command interpreters named in the analytic description, including process name, command line, parent-child relationships, user context, host, timestamp, and subsequent execution events. Because no official detection logic is provided, teams should implement this as behavior-based monitoring against local baselines: unusual execution time, unexpected account or user role, encoded or obfuscated arguments, and secondary process execution following interpreter launch.
Likely telemetry
- Windows process creation events with executable name and full command line
- Parent and child process relationships for interpreter-spawned activity
- User, account, privilege, and logon/session context tied to process execution
- Timestamps mapped to approved administrative or automation windows
- PowerShell, cmd.exe, wscript.exe, and similar interpreter execution records where collected
Detection direction
- Confirm that command-line logging is complete enough to see encoded or obfuscated arguments, not just process names.
- Tune against approved administrative time windows, service accounts, automation jobs, and maintenance activity to reduce false positives.
- Review abnormal user contexts, such as non-admin users, unusual privileged accounts, or accounts operating outside their normal patterns.
- Correlate interpreter execution with parent process and secondary execution events rather than alerting only on interpreter launch.
- Document blind spots where endpoint telemetry, command-line capture, or user context is unavailable on Windows systems.
Mitigation priorities
- Define and maintain expected administrative windows, authorized automation accounts, and approved scripting use cases.
- Apply least-privilege practices so scripting and command interpreter use is limited to accounts and systems that require it.
- Strengthen endpoint logging and retention for process, command-line, user context, and parent-child execution evidence.
- Use change management and exception handling so legitimate off-hours administration is visible to the SOC.
- Periodically review interpreter usage baselines as administrative workflows, automation, and account ownership change.
Analyst notes and limits
This object is a detection analytic, not a technique, and it has no supplied ATT&CK tactics or relationship context. The practical value comes from using the description to test whether local Windows telemetry and administrative baselines can support behavior-based detection for abnormal interpreter execution.
The official detection field is not provided, and no relationships are supplied. This take does not assert active exploitation, attribution, impact, or existing coverage. Local environment baselines are required to determine what is abnormal and how noisy this analytic will be.
Analytic 1428
Detects the execution of scripting or command interpreters (e.g., powershell.exe, cmd.exe, wscript.exe) outside expected administrative time windows or from abnormal user contexts, often followed by encoded/obfuscated arguments or secondary execution events.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0b036e6b7a8d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1428Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.