Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0061: Analytic 0061

Adversary disables or stops critical services (e.g., Exchange, SQL, AV, endpoint monitoring) using native utilities or API calls, often preceding destructive actions (T1485, T1486). Behavioral chain: Elevated execution context + stop-service or sc.exe or ChangeServiceConfigW + terminated or disabled service + possible follow-up file manipulation.

EnterpriseAN0061AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic focuses on a high-risk Windows behavior: an adversary stopping or disabling critical services such as Exchange, SQL, antivirus, or endpoint monitoring, often before destructive activity like data destruction or encryption. For leaders, the practical issue is operational resilience: if business-critical or security services can be stopped without rapid detection and response, outages and incident impact can escalate quickly.

Executive priority

Prioritize this as a control-validation and incident-readiness question: do teams know which Windows services are critical to business operations and security visibility, and can they detect when those services are stopped or disabled by elevated activity? This behavior is especially relevant to continuity planning, ransomware/destructive-action readiness, SOC escalation quality, and audit evidence around endpoint protection and monitoring controls.

Technical view

For SOC, detection engineering, and IR teams, validate monitoring for Windows service stop or disable events involving critical business and security services. The ATT&CK description highlights elevated execution context, use of native utilities such as stop-service or sc.exe, API activity such as ChangeServiceConfigW, service termination or disablement, and possible follow-up file manipulation. Because no official detection logic is supplied, teams should build and test environment-specific analytics around service control activity, privilege context, process lineage, and subsequent file operations on affected hosts.

Likely telemetry

  • Windows service control events showing service stop, disable, or configuration changes
  • Process execution telemetry for native service-management utilities such as sc.exe and PowerShell stop-service usage
  • Endpoint telemetry indicating elevated execution context
  • API or EDR telemetry related to service configuration changes such as ChangeServiceConfigW where available
  • Service state and startup-type change records for critical applications and security tools

Detection direction

  • Create an approved inventory of critical Windows services, including business platforms such as Exchange or SQL and security services such as AV or endpoint monitoring, then alert on unauthorized stop or disable actions.
  • Correlate service-control activity with elevated user or process context, parent-child process relationships, and whether native utilities were used.
  • Tune for legitimate administrative maintenance to reduce false positives, but require strong change context for disabling security monitoring or critical application services.
  • Look for behavioral chains rather than single events: elevated execution followed by service stop or configuration change, then service termination and possible file manipulation.
  • Validate whether endpoint and logging controls still generate telemetry when security services are stopped, since this is a common visibility blind spot.

Mitigation priorities

  • Define and maintain ownership for critical Windows services and expected administrative maintenance paths.
  • Restrict who can stop, disable, or reconfigure critical business and security services using least privilege and administrative control processes.
  • Harden endpoint protection and monitoring services against unauthorized tampering where supported by existing controls.
  • Ensure SOC runbooks treat unexpected stoppage of security or business-critical services as a high-priority triage condition, especially when followed by file manipulation.
  • Test incident response procedures for rapid restoration of stopped services and preservation of host evidence.
Analyst notes and limits

This object is a detection analytic, not a technique entry. It provides a Windows platform scope and a behavioral description but no tactics, no formal detection text, and no relationship context. The strongest defensive value is in validating whether service-control activity against critical services is visible, authorized, and rapidly investigated.

The supplied ATT&CK fields do not include active exploitation details, attribution, related groups/software, specific data sources, or official detection logic. Local service inventories, administrative workflows, EDR capabilities, and logging configurations are required to turn this into reliable production detection.

Official MITRE ATT&CK definition

Analytic 0061

Adversary disables or stops critical services (e.g., Exchange, SQL, AV, endpoint monitoring) using native utilities or API calls, often preceding destructive actions (T1485, T1486). Behavioral chain: Elevated execution context + stop-service or sc.exe or ChangeServiceConfigW + terminated or disabled service + possible follow-up file manipulation.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c7c859ce44d9d1ca...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c7c859ce44d9…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0061
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use