AN1440: Analytic 1440
Detects suspicious use of PowerShell, .NET, or script interpreters to spawn processes that mimic UAC prompts, often with credential capture dialogue boxes invoked from non-standard parent processes.
Analyst context for executives and security teams
This analytic matters because fake UAC-style prompts can turn a normal-looking Windows interaction into a credential capture event. For leaders, the key issue is not just PowerShell or scripting activity; it is whether the organization can recognize when trusted-looking elevation prompts are being imitated by unusual parent processes before credentials are exposed.
Executive priority
Prioritize this as an identity and endpoint resilience validation item for Windows environments. Security leaders should ask whether SOC and incident response teams can distinguish legitimate administrative elevation workflows from script-driven prompt impersonation, and whether endpoint telemetry is retained well enough to support credential theft investigations. This also supports audit and compliance evidence around privileged access monitoring, scripting control, and incident readiness.
Technical view
For SOC and detection teams, validate visibility into Windows process creation where PowerShell, .NET execution, or script interpreters spawn processes or UI behavior resembling UAC or credential prompt dialogs. Because no ATT&CK tactic or formal detection logic is supplied, treat this as a behavior-focused analytic: unusual parent-child process relationships, non-standard parent processes, and prompt-like process activity should be reviewed against known administrative tools and approved automation.
Likely telemetry
- Windows process creation events with parent and child process details
- Command-line arguments for PowerShell, .NET, and script interpreters
- Process image paths and signer or reputation context where available
- User context, logon session, and privilege level associated with the process
- Endpoint detection and response telemetry for script execution and process lineage
Detection direction
- Confirm that process lineage is collected for Windows hosts, especially parent-child relationships involving PowerShell, .NET, and script interpreters.
- Tune for script or interpreter-launched processes that resemble credential or UAC prompt activity from non-standard parents.
- Baseline legitimate administrative automation, helpdesk tools, software deployment activity, and approved scripts to reduce false positives.
- Correlate suspicious prompt-like activity with user context, privilege level, recent logons, and endpoint history before escalation.
- Document blind spots where command-line logging, script block logging, endpoint telemetry, or process lineage is unavailable.
Mitigation priorities
- Harden and monitor privileged access workflows so users and administrators know expected elevation paths.
- Restrict unnecessary script interpreter use where operationally feasible and monitor exceptions.
- Improve endpoint logging for process creation, command line, and script execution on Windows systems.
- Review administrative tooling and automation so legitimate prompt-generating activity is known and allowlisted carefully.
- Prepare IR playbooks for suspected credential capture, including user notification, credential reset decisioning, and endpoint containment criteria.
Analyst notes and limits
The supplied object is a detection analytic for Windows focused on suspicious PowerShell, .NET, or script interpreter use to spawn processes that mimic UAC or credential prompts. No tactic, technique relationship, formal detection expression, or relationship context was supplied, so this take emphasizes validation questions and telemetry requirements rather than a specific rule implementation.
This assessment uses only the provided ATT&CK fields and external reference. It does not establish active exploitation, adversary attribution, impact, or guaranteed detection coverage. Local process baselines, endpoint telemetry quality, and approved administrative workflows are required to determine operational severity and tuning.
Analytic 1440
Detects suspicious use of PowerShell, .NET, or script interpreters to spawn processes that mimic UAC prompts, often with credential capture dialogue boxes invoked from non-standard parent processes.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4d53894ae8b6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1440Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.