M1047: Audit
Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures.
Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures:
System Audit:
- Use Case: Regularly assess system configurations to ensure compliance with organizational security policies. - Implementation: Use tools to scan for deviations from established benchmarks.
Permission Audits:
- Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation. - Implementation: Run access reviews to identify users or groups with excessive permissions.
Software Audits:
- Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector. - Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.
Configuration Audits:
- Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA). - Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.
Network Audits:
- Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections. - Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.
Analyst context for executives and security teams
Audit is a broad but business-critical mitigation: it turns system, identity, software, configuration, network, email, cloud, and even physical access activity into reviewable evidence. Its value is not that logging exists, but that the organization can systematically find weak configurations, excessive permissions, outdated software, suspicious remote access, unauthorized forwarding rules, unexpected scheduled jobs, and other conditions that make incidents harder to contain or prove.
Executive priority
Leaders should treat auditing as a resilience and accountability control, not only a compliance checkbox. MITRE explicitly ties auditing to anomaly detection, weakness identification, and compliance requirements, with higher importance in regulated sectors such as healthcare, finance, and government. Priority questions include: which business-critical systems are actually audited, who reviews the results, how quickly exceptions are corrected, and whether audit evidence would support incident response, access reviews, vulnerability prioritization, and regulatory reporting.
Technical view
For SOC, detection engineering, IR, and control owners, validate that audit scope covers the ATT&CK relationship context: remote services and RDP/VNC lateral movement, scheduled task and cron persistence, command and scripting execution, obfuscated or masqueraded artifacts, cloud account discovery, mailbox changes and forwarding rules, software/browser/IDE extensions, insecure images, and unusual network communications. Because the MITRE object has no official detection text and no specific platform field, teams should map audit requirements to their own Windows, Linux, macOS, cloud/IaaS, identity provider, Office/SaaS, container, ESXi, network device, and physical-access environments where applicable from the related techniques and the official description.
Likely telemetry
- System configuration and benchmark scan results, including deviations from approved baselines
- Permission and access review records for files, folders, groups, privileged roles, and cloud or identity accounts
- Software inventory, version, support status, and vulnerability scan results
- Configuration audit evidence for security settings such as MFA enablement and disabled insecure services such as SMBv1 where applicable
- Remote access and remote service logs, including RDP, SSH, VNC, and other service authentication records
Detection direction
- First confirm audit coverage, retention, and review ownership before writing detections; missing or unreviewed logs are the main blind spot for this mitigation.
- Tune audits around changes and deviations: new or modified remote access paths, excessive permissions, new accounts with lookalike names, new scheduled jobs, new forwarding rules, unsupported software, and configuration drift from approved baselines.
- Correlate identity, endpoint, cloud, email, and network evidence for related behaviors such as valid-account remote services, mailbox collection, command execution, and persistence through scheduled jobs or extensions.
- Account for false positives from administrators, support tools, automation, software updates, and legitimate remote work; require baselines and documented exceptions so audits do not become noise.
- For compliance readiness, preserve evidence of both audit execution and remediation decisions, not just raw logs or scanner output.
Mitigation priorities
- Define audit scope around critical assets, regulated systems, privileged identities, remote access services, email platforms, cloud resources, and high-risk network paths.
- Establish secure configuration and permission baselines, then automate scanning for drift where practical.
- Perform recurring access and permission audits to identify excessive rights and reduce privilege-escalation and unauthorized-access risk.
- Maintain software and image inventories to find outdated, unsupported, insecure, or unapproved components.
- Review network traffic, firewall rules, and endpoint communications for unauthorized or insecure connections.
Analyst notes and limits
This is a course-of-action object, so the value is in governance and validation rather than a single detection analytic. The relationship context shows auditing supports mitigation across lateral movement, execution, persistence, stealth, discovery, command-and-control, and collection behaviors. Glexia would use this to assess whether audit practices produce actionable evidence for SOC operations, incident response, identity governance, cloud security, vulnerability management, and compliance programs.
MITRE provides no official detection field for M1047 and no platform list on the mitigation itself. Platform and tactic relevance is inferred only from the supplied related ATT&CK techniques. Local asset inventory, logging architecture, regulatory obligations, and business-critical process mapping are required to determine actual coverage and priority.
Audit
Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures.
Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures:
System Audit:
- Use Case: Regularly assess system configurations to ensure compliance with organizational security policies. - Implementation: Use tools to scan for deviations from established benchmarks.
Permission Audits:
- Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation. - Implementation: Run access reviews to identify users or groups with excessive permissions.
Software Audits:
- Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector. - Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.
Configuration Audits:
- Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA). - Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.
Network Audits:
- Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections. - Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1484 | Domain or Tenant Policy Modification | Identify and correct GPO permissions abuse opportunities (ex: GPO modification privileges) using auditing tools such as BloodHound (version 1.5.1 and later)CitationGitHub Bloodhound. |
| Enterprise | T1059.006 | Python Sub-technique | Inventory systems for unauthorized Python installations. |
| Enterprise | T1036 | Masquerading | Audit user accounts to ensure that each one has a defined purpose. |
| Enterprise | T1482 | Domain Trust Discovery | Map the trusts within existing domains/forests and keep trust relationships to a minimum. |
| Enterprise | T1053.003 | Cron Sub-technique | Review changes to the |
| Enterprise | T1574.005 | Executable Installer File Permissions Weakness Sub-technique | Use auditing tools capable of detecting file system permissions abuse opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for service file system permissions weaknesses.CitationPowersploit |
| Enterprise | T1505.005 | Terminal Services DLL Sub-technique | Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made. |
| Enterprise | T1686.001 | Cloud Firewall Sub-technique | Routinely check account role permissions to ensure only expected users and roles have permission to modify cloud firewalls. |
| Enterprise | T1176.001 | Browser Extensions Sub-technique | Ensure extensions that are installed are the intended ones, as many malicious extensions will masquerade as legitimate ones. |
| Enterprise | T1505 | Server Software Component | Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made. |
| Enterprise | T1542 | Pre-OS Boot | Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. |
| Enterprise | T1566 | Phishing | Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. |
| Enterprise | T1484.001 | Group Policy Modification Sub-technique | Identify and correct GPO permissions abuse opportunities (ex: GPO modification privileges) using auditing tools such as BloodHound (version 1.5.1 and later).CitationGitHub Bloodhound |
| Enterprise | T1539 | Steal Web Session Cookie | Implement auditing for authentication activities and user logins to detect the use of stolen session cookies. Monitor for impossible travel scenarios and anomalous behavior that could indicate the use of compromised session tokens or cookies. |
| Enterprise | T1505.001 | SQL Stored Procedures Sub-technique | Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made. |
| Enterprise | T1564.006 | Run Virtual Instance Sub-technique | Periodically audit virtual machines for abnormalities. On ESXi servers, periodically compare the output of `vim-cmd vmsvc/getallvms`, which lists all VMs in vCenter, and `escxli vm process list | grep Display`, which lists all VMs hosted on ESXi.CitationMITRE VMware Abuse 2024 |
| Enterprise | T1686 | Disable or Modify System Firewall | Routinely check account role permissions to ensure only expected users and roles have permission to modify system firewalls. |
| Enterprise | T1686.002 | Network Device Firewall Sub-technique | Routinely check account role permissions to ensure only expected users and roles have permission to modify system firewalls. |
| Enterprise | T1574.009 | Path Interception by Unquoted Path Sub-technique | Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate. Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations.CitationMicrosoft CreateProcessCitationMicrosoft Dynamic-Link Library SecurityCitationVulnerability and Exploit Detector |
| Enterprise | T1685.001 | Disable or Modify Windows Event Log Sub-technique | Consider periodic review of |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | Audit the Remote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups. |
| Enterprise | T1564.008 | Email Hiding Rules Sub-technique | Enterprise email solutions may have monitoring mechanisms that may include the ability to audit inbox rules on a regular basis. In an Exchange environment, Administrators can use `Get-InboxRule` / `Remove-InboxRule` and `Get-TransportRule` / `Remove-TransportRule` to discover and remove potentially malicious inbox and transport rules.CitationMicrosoft Get-InboxRuleCitationMicrosoft Manage Mail Flow Rules 2023 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | Check for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate.CitationGithub UACMe |
| Enterprise | T1558.004 | AS-REP Roasting Sub-technique | Kerberos preauthentication is enabled by default. Older protocols might not support preauthentication therefore it is possible to have this setting disabled. Make sure that all accounts have preauthentication whenever possible and audit changes to setting. Windows tools such as PowerShell may be used to easily find which accounts have preauthentication disabled. CitationMicrosoft Preauthentication Jul 2012CitationStealthbits Cracking AS-REP Roasting Jun 2019 |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | Consider periodic review of common fileless storage locations (such as the Registry or WMI repository) to potentially identify abnormal and malicious data. |
| Enterprise | T1053.002 | At Sub-technique | Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. CitationPowersploit Windows operating system also creates a registry key specifically associated with the creation of a scheduled task on the destination host at: Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1. CitationSecureworks - AT.exe Scheduled Task In Linux and macOS environments, scheduled tasks using |
| Enterprise | T1543.003 | Windows Service Sub-technique | Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them. |
| Enterprise | T1671 | Cloud Application Integration | Periodically review SaaS integrations for unapproved or potentially malicious applications. |
| Enterprise | T1550 | Use Alternate Authentication Material | Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. |
| Enterprise | T1552.006 | Group Policy Preferences Sub-technique | Search SYSVOL for any existing GGPs that may contain credentials and remove them.CitationADSecurity Finding Passwords in SYSVOL |
| Enterprise | T1685 | Disable or Modify Tools | Periodically verify that tools are functioning appropriately – for example, that all expected hosts with EDRs or monitoring agents are checking in to the central console. Check EDRs to ensure that no unexpected exclusion paths have been added. In Microsoft Defender for Endpoint, exclusions can be reviewed with the `Get-MpPreference` cmdlet.CitationCodeX Microsoft Defender 2021 |
| Enterprise | T1528 | Steal Application Access Token | Administrators should audit all cloud and container accounts to ensure that they are necessary and that the permissions granted to them are appropriate. Additionally, administrators should perform an audit of all OAuth applications and the permissions they have been granted to access organizational data. This should be done extensively on all applications in order to establish a baseline, followed up on with periodic audits of new or updated applications. Suspicious applications should be investigated and removed. |
| Enterprise | T1574 | Hijack Execution Flow | Use auditing tools capable of detecting hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for hijacking weaknesses.CitationPowersploit Use the program sxstrace.exe that is included with Windows along with manual inspection to check manifest files for side-loading vulnerabilities in software. Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate. Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations.CitationMicrosoft CreateProcessCitationMicrosoft Dynamic-Link Library SecurityCitationVulnerability and Exploit Detector |
| Enterprise | T1610 | Deploy Container | Scan images before deployment, and block those that are not in compliance with security policies. In Kubernetes environments, the admission controller can be used to validate images after a container deployment request is authenticated but before the container is deployed.CitationKubernetes Hardening Guide |
| Enterprise | T1606.001 | Web Cookies Sub-technique | Administrators should perform an audit of all access lists and the permissions they have been granted to access web applications and services. This should be done extensively on all resources in order to establish a baseline, followed up on with periodic audits of new or updated resources. Suspicious accounts/credentials should be investigated and removed. |
| Enterprise | T1213.001 | Confluence Sub-technique | Consider periodic review of accounts and privileges for critical and sensitive Confluence repositories. |
| Enterprise | T1213.005 | Messaging Applications Sub-technique | Preemptively search through communication services to find inappropriately shared data, and take actions to reduce exposure when found. |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Audit applications and their permissions to ensure access to data and resources are limited based upon necessity and principle of least privilege. |
| Enterprise | T1546.006 | LC_LOAD_DYLIB Addition Sub-technique | Binaries can also be baselined for what dynamic libraries they require, and if an app requires a new dynamic library that wasn't included as part of an update, it should be investigated. |
| Enterprise | T1564 | Hide Artifacts | Periodically audit virtual machines for abnormalities. |
| Enterprise | T1543 | Create or Modify System Process | Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them. |
| Enterprise | T1558.005 | Ccache Files Sub-technique | Enable and perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.CitationBrining MimiKatz to Unix For example, use |
| Enterprise | T1213.002 | Sharepoint Sub-technique | Consider periodic review of accounts and privileges for critical and sensitive SharePoint repositories. |
| Enterprise | T1556.008 | Network Provider DLL Sub-technique | Periodically review for new and unknown network provider DLLs within the Registry (`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ Ensure only valid network provider DLLs are registered. The name of these can be found in the Registry key at `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order`, and have corresponding service subkey pointing to a DLL at `HKEY_LOCAL_MACHINE\SYSTEM\CurrentC ontrolSet\Services\ |
| Enterprise | T1563.002 | RDP Hijacking Sub-technique | Audit the Remote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups. |
| Enterprise | T1021 | Remote Services | Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. |
| Enterprise | T1578.001 | Create Snapshot Sub-technique | Routinely check user permissions to ensure only the expected users have the capability to create snapshots and backups. |
| Enterprise | T1021.005 | VNC Sub-technique | Inventory workstations for unauthorized VNC server software. |
| Enterprise | T1176.002 | IDE Extensions Sub-technique | Ensure extensions that are installed are the intended ones, as many malicious extensions may masquerade as legitimate ones. |
| Enterprise | T1552.008 | Chat Messages Sub-technique | Preemptively search through communication services to find shared unsecured credentials. Searching for common patterns like " |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Enable auditing and monitoring for email attachments and file transfers to detect and investigate suspicious activity. Regularly review logs for anomalies related to attachments containing potentially malicious content, as well as any attempts to execute or interact with these files. This practice helps identify spearphishing attempts before they can lead to further compromise. |
| Enterprise | T1070.008 | Clear Mailbox Data Sub-technique | In an Exchange environment, Administrators can use `Get-TransportRule` / `Remove-TransportRule` to discover and remove potentially malicious transport rules.CitationMicrosoft Manage Mail Flow Rules 2023 |
| Enterprise | T1059.011 | Lua Sub-technique | Inventory systems for unauthorized Lua installations. |
| Enterprise | T1550.001 | Application Access Token Sub-technique | Administrators should audit all cloud and container accounts to ensure that they are necessary and that the permissions granted to them are appropriate. Where possible, the ability to request temporary account tokens on behalf of another accounts should be disabled. Additionally, administrators can leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access. |
| Enterprise | T1684 | Social Engineering | Enables correlation of email/identity/SaaS/endpoint activity that appears legitimate.CitationProofpoint TA427 April 2024CitationUnit 42 Global Incident Response Report 2026 |
| Enterprise | T1606.002 | SAML Tokens Sub-technique | Enable advanced auditing on AD FS. Check the success and failure audit options in the AD FS Management snap-in. Enable Audit Application Generated events on the AD FS farm via Group Policy Object.CitationFireEye ADFS |
| Enterprise | T1095 | Non-Application Layer Protocol | Periodically investigate ESXi hosts for open VMCI ports. Running the `lsof -A` command and inspecting results with a type of `SOCKET_VMCI` will reveal processes that have open VMCI ports.CitationGoogle Cloud Threat Intelligence ESXi Hardening 2023 |
| Enterprise | T1087.004 | Cloud Account Sub-technique | Routinely check user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts. |
| Enterprise | T1556.006 | Multi-Factor Authentication Sub-technique | Review MFA actions alongside authentication logs to ensure that MFA-based logins are functioning as intended. Review user accounts to ensure that all accounts have MFA enabled.CitationMandiant Cloudy Logs 2023 |
| Enterprise | T1578 | Modify Cloud Compute Infrastructure | Routinely monitor user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components. |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | System scans can be performed to identify unauthorized archival utilities. |
| Enterprise | T1548 | Abuse Elevation Control Mechanism | Check for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate.CitationGithub UACMe |
| Enterprise | T1036.012 | Browser Fingerprint Sub-technique | Review and limit the fingerprinting surface to only necessary information on each browser to make the browser less unique. For example, the available fonts may be limited to a standard font list. CitationW3C |
| Enterprise | T1213.003 | Code Repositories Sub-technique | Consider periodic reviews of accounts and privileges for critical and sensitive code repositories. Scan code repositories for exposed credentials or other sensitive information. |
| Enterprise | T1685.004 | Disable or Modify Linux Audit System Log Sub-technique | Routinely check account role permissions to ensure only expected users and roles have permission to modify logging settings. To ensure Audit rules can not be modified at runtime, add the `auditctl -e 2` as the last command in the audit.rules files. Once started, any attempt to change the configuration in this mode will be audited and denied. The configuration can only be changed by rebooting the machine. |
| Enterprise | T1578.005 | Modify Cloud Compute Configurations Sub-technique | Routinely monitor user permissions to ensure only the expected users have the capability to request quota adjustments or modify tenant-level compute settings. |
| Enterprise | T1566.003 | Spearphishing via Service Sub-technique | Implement auditing and logging for interactions with third-party messaging services or collaboration platforms. Monitor user activity and review logs for signs of suspicious links, downloads, or file exchanges that could indicate spearphishing attempts. Effective auditing allows for the quick identification of malicious activity originating from compromised service accounts. |
| Enterprise | T1552.002 | Credentials in Registry Sub-technique | Proactively search for credentials within the Registry and attempt to remediate the risk. |
| Enterprise | T1053 | Scheduled Task/Job | Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. CitationPowersploit |
| Enterprise | T1574.010 | Services File Permissions Weakness Sub-technique | Use auditing tools capable of detecting file system permissions abuse opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for service file system permissions weaknesses.CitationPowersploit |
| Enterprise | T1560 | Archive Collected Data | System scans can be performed to identify unauthorized archival utilities. |
| Enterprise | T1027 | Obfuscated Files or Information | Consider periodic review of common fileless storage locations (such as the Registry or WMI repository) to potentially identify abnormal and malicious data. |
| Enterprise | T1505.004 | IIS Components Sub-technique | Regularly check installed IIS components to verify the integrity of the web server and identify if unexpected changes have been made. |
| Enterprise | T1176 | Software Extensions | Ensure extensions that are installed are the intended ones, as many malicious extensions may masquerade as legitimate ones. |
| Enterprise | T1213.004 | Customer Relationship Management Software Sub-technique | Consider periodic review of accounts and privileges for critical and sensitive CRM data. |
| Enterprise | T1556.007 | Hybrid Identity Sub-technique | Periodically review the hybrid identity solution in use for any discrepancies. For example, review all PTA agents in the Entra ID Management Portal to identify any unwanted or unapproved ones.CitationMandiant Azure AD Backdoors If ADFS is in use, review DLLs and executable files in the AD FS and Global Assembly Cache directories to ensure that they are signed by Microsoft. Note that in some cases binaries may be catalog-signed, which may cause the file to appear unsigned when viewing file properties.CitationMagicWeb |
| Enterprise | T1552 | Unsecured Credentials | Preemptively search for files containing passwords or other credentials and take actions to reduce the exposure risk when found. |
| Enterprise | T1578.002 | Create Cloud Instance Sub-technique | Routinely check user permissions to ensure only the expected users have the capability to create new instances. |
| Enterprise | T1574.008 | Path Interception by Search Order Hijacking Sub-technique | Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate. Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations.CitationMicrosoft CreateProcessCitationMicrosoft Dynamic-Link Library SecurityCitationVulnerability and Exploit Detector |
| Enterprise | T1542.004 | ROMMONkit Sub-technique | Periodically check the integrity of system image to ensure it has not been modified. CitationCisco IOS Software Integrity Assurance - Image File Integrity CitationCisco IOS Software Integrity Assurance - Image File Verification CitationCisco IOS Software Integrity Assurance - Change Control |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 7c9d679627ea… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M1047Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.