Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1560: Analytic 1560

Processes executing binaries named after legitimate system utilities (e.g., net.exe, findstr.exe, python.exe) from non-standard or application-specific directories, combined with file creation or modification events for such binaries. Defender correlates file writes in vulnerable directories, process execution paths inconsistent with baseline system paths, and abnormal parent-child relationships in process lineage.

EnterpriseAN1560AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting Windows programs that appear to be legitimate utilities by name, but run from unusual or application-specific directories rather than expected system paths. For leaders, the value is not the filename itself; it is whether the organization can prove that endpoint telemetry and SOC logic can distinguish normal administrative tool use from suspicious lookalike execution patterns.

Executive priority

Prioritize this as a control-validation and incident-readiness question for Windows environments: do teams collect enough file-write, process-execution, path, and parent-child process evidence to investigate binaries that imitate trusted utilities? This supports resilience by reducing blind spots around suspicious execution from non-standard locations and provides useful evidence for audit, IR scoping, and managed detection quality reviews.

Technical view

Validate coverage on Windows for processes named after common legitimate utilities, such as net.exe, findstr.exe, or python.exe, when executed outside expected baseline system paths. The supplied analytic emphasizes correlation between file creation or modification of such binaries in vulnerable or unusual directories, execution from inconsistent paths, and abnormal parent-child process lineage. Because no ATT&CK tactic, relationship context, or separate detection logic is supplied, teams should treat this as a detection engineering pattern to tune against local baselines rather than a complete rule.

Likely telemetry

  • Windows process creation events with full executable path and command-line context where available
  • File creation and file modification events for executable binaries
  • Parent-child process lineage
  • Asset or application inventory to identify expected utility locations
  • Baseline data for normal administrative and application-specific execution paths

Detection direction

  • Build or validate logic that compares process names resembling legitimate utilities against expected system or approved application paths.
  • Correlate suspicious execution with prior file creation or modification of the same binary path.
  • Review parent-child process relationships for unusual launch chains relative to the host role and normal administration patterns.
  • Tune carefully for legitimate software bundles, developer tools, scripts, and administrative utilities that may include similarly named binaries in application directories.
  • Measure whether current endpoint logging preserves the full path; filename-only detections are likely to create false positives and miss the main analytic value.

Mitigation priorities

  • Establish and maintain a baseline of approved Windows system and application utility paths.
  • Ensure endpoint logging captures process execution, file writes, and process lineage at sufficient fidelity for investigation.
  • Harden write permissions on directories where executable placement is not expected, especially where local users or applications can write binaries.
  • Use application control or allowlisting where appropriate to reduce execution from untrusted or non-standard locations.
  • Include this pattern in SOC triage playbooks so analysts verify path, file-write history, signer or provenance where available, and parent process context before escalating.
Analyst notes and limits

The official object is a detection analytic, not a technique, and no relationship context is supplied. Its main decision value is to test whether defenders can correlate suspicious filename/path combinations with file-write activity and process lineage on Windows endpoints.

The object provides no official detection field, no ATT&CK tactics, no related techniques or software, and no evidence of active exploitation or attribution. Local baselines are required to define which paths and parent-child relationships are abnormal.

Official MITRE ATT&CK definition

Analytic 1560

Processes executing binaries named after legitimate system utilities (e.g., net.exe, findstr.exe, python.exe) from non-standard or application-specific directories, combined with file creation or modification events for such binaries. Defender correlates file writes in vulnerable directories, process execution paths inconsistent with baseline system paths, and abnormal parent-child relationships in process lineage.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
53792721bfb3d2a4...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 53792721bfb3…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1560
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use