Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0868: Analytic 0868

Detection of inconsistencies between reported sensor health and actual process/service state. For example, Windows Defender tray icon/UI showing healthy status while corresponding Defender services (WinDefend, MsMpEng) are stopped or disabled. Correlates process creation events with missing or terminated security processes and spoofed health events.

EnterpriseAN0868AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because it focuses on a common defensive blind spot: a security tool can appear healthy in the user interface or health reporting while the underlying Windows service or process is stopped, disabled, missing, or inconsistent. For leaders, the value is not just detecting a stopped process; it is validating whether endpoint protection health signals are trustworthy enough for incident decisions, audit evidence, and operational resilience.

Executive priority

Prioritize this as a control assurance and SOC readiness check for Windows environments. Executives and risk owners should ask whether endpoint security health dashboards are independently validated against host-level process and service evidence, especially before relying on them for compliance reporting, breach containment decisions, or incident severity reduction. Budget and control decisions should favor telemetry correlation over single-source health status reporting.

Technical view

For SOC, detection engineering, and IR teams, validate whether Windows telemetry can correlate reported sensor or security-product health with actual process and service state. The supplied analytic specifically references inconsistencies such as Windows Defender tray icon or UI reporting healthy status while Defender-related services or processes such as WinDefend or MsMpEng are stopped or disabled. Detection logic should compare health/status events against service state, process creation or termination evidence, and absence of expected security processes. No ATT&CK tactic or related technique context was supplied, so implementation should be treated as a detection analytic for endpoint control integrity rather than mapped to a broader intrusion pattern from the provided data alone.

Likely telemetry

  • Windows service state and service configuration events
  • Windows process creation and process termination events
  • Endpoint security or sensor health/status events
  • Evidence of expected security processes being absent, stopped, or disabled
  • Windows Defender-related process/service observations where applicable, including WinDefend and MsMpEng

Detection direction

  • Validate that health-status events are not trusted in isolation; correlate them with actual service and process state.
  • Tune for inconsistencies where a security product reports healthy while expected services or processes are stopped, disabled, terminated, or missing.
  • Account for legitimate administrative maintenance, product upgrades, policy changes, troubleshooting, or planned service restarts to reduce false positives.
  • Check for collection gaps: if process, service, or endpoint health telemetry is incomplete, the analytic may produce false assurance.
  • Because no official detection logic was provided, detection teams should implement and test local correlation rules against their Windows endpoint tooling and logging coverage.

Mitigation priorities

  • Establish independent monitoring of endpoint protection service and process state, not just console-reported health.
  • Define operational baselines for expected Windows security services and processes, including approved maintenance windows and exception handling.
  • Restrict and audit administrative actions that can stop, disable, or alter security services, consistent with local policy.
  • Include sensor-health inconsistency checks in incident response triage and compliance evidence reviews.
  • Regularly test whether endpoint health dashboards match host-level telemetry across representative Windows systems.
Analyst notes and limits

The supplied object is a detection analytic, not a technique, and no relationships were supplied. The strongest decision value is assurance: confirming that endpoint security health reporting reflects actual host state. The example explicitly names Windows Defender UI/tray health versus WinDefend and MsMpEng process/service state, so Defender-oriented validation is supported, but broader product-specific claims are not.

Official detection content was not provided, tactics were not specified, and no relationship context was supplied. This take is limited to the Windows platform and the described analytic behavior. Local telemetry availability, endpoint security configuration, and approved administrative workflows are required to determine practical coverage and tuning.

Official MITRE ATT&CK definition

Analytic 0868

Detection of inconsistencies between reported sensor health and actual process/service state. For example, Windows Defender tray icon/UI showing healthy status while corresponding Defender services (WinDefend, MsMpEng) are stopped or disabled. Correlates process creation events with missing or terminated security processes and spoofed health events.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
00b6af6f73d5ec02...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 00b6af6f73d5…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0868
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use