Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0045: Analytic 0045

Detects unusual command executions and service modifications that indicate self-patching or disabling of vulnerable services post-compromise. Defenders should monitor for service stop commands, suspicious process termination, and execution of binaries or scripts aligned with known patching or service management tools outside of expected admin contexts.

EnterpriseAN0045AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN0045 is a Windows detection analytic focused on a post-compromise pattern: unusual command execution, service stops, process termination, or service modification that may indicate an intruder is self-patching or disabling vulnerable services after gaining access. For leaders, the value is not just finding a command; it is validating whether the organization can see unexpected service-management activity that may change incident scope, disrupt operations, or remove evidence of the original vulnerable exposure.

Executive priority

Prioritize this analytic where Windows services support critical business operations or where vulnerability remediation evidence is important. Security leaders should ask whether SOC and IR teams can distinguish approved administration from suspicious service changes, whether change-management records can be compared to endpoint activity, and whether incident responders can reconstruct who stopped or modified a service during a compromise investigation.

Technical view

On Windows, validate visibility into command executions, service stop or modification events, suspicious process termination, and execution of binaries or scripts associated with patching or service management outside expected administrative contexts. Because the ATT&CK object provides no tactic mapping, no relationship context, and no detailed detection logic, teams should treat AN0045 as a behavioral validation requirement rather than a ready-to-deploy rule. Tune around approved maintenance windows, privileged admin activity, endpoint management jobs, and vulnerability remediation workflows.

Likely telemetry

  • Windows process creation and command-line execution logs
  • Windows service control and service configuration change events
  • Endpoint telemetry for process termination activity
  • Execution records for binaries or scripts used for patching or service management
  • Identity and administrative context for the user or account performing the action

Detection direction

  • Baseline expected Windows service administration and patch-management behavior by host role, admin group, and maintenance window.
  • Alert or hunt for service stop commands, service modifications, and process termination outside expected administrative contexts.
  • Correlate suspicious service-management activity with recent compromise indicators or vulnerable-service remediation activity when local evidence exists.
  • Reduce false positives by integrating approved change tickets, endpoint management schedules, and known administrator tooling patterns.
  • Check for blind spots where command-line logging, service change logging, or endpoint telemetry is absent or not retained long enough for IR review.

Mitigation priorities

  • Ensure Windows administrative activity around services is governed by least privilege and change-management controls.
  • Require auditable maintenance processes for stopping, modifying, patching, or disabling services.
  • Improve endpoint logging and retention for process execution, command line, service changes, and process termination.
  • Use vulnerability management records and approved remediation workflows to distinguish authorized patching from suspicious post-compromise behavior.
  • Prepare IR playbooks to preserve evidence and assess business impact when critical services are stopped or modified unexpectedly.
Analyst notes and limits

This take is based on the official AN0045 description and its Windows platform scope. The analytic is best used as a control-validation and hunting prompt: can the SOC prove when service management occurred, who initiated it, and whether it aligned with approved administration?

MITRE did not provide formal detection logic, tactics, relationships, aliases, labels, or external context beyond the AN0045 reference. Local environment baselines, administrative processes, and telemetry availability are required to determine severity and detection reliability.

Official MITRE ATT&CK definition

Analytic 0045

Detects unusual command executions and service modifications that indicate self-patching or disabling of vulnerable services post-compromise. Defenders should monitor for service stop commands, suspicious process termination, and execution of binaries or scripts aligned with known patching or service management tools outside of expected admin contexts.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
cae56037e4505243...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle cae56037e450…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0045
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use