AN0886: Analytic 0886
Unusual service stop events, termination of AV/EDR processes, registry modifications disabling security tools, and firewall/defender configuration changes. Correlate process creation with service stop requests and registry edits.
Analyst context for executives and security teams
Analytic 0886 is a Windows-focused detection analytic for signs that security controls are being disabled or interfered with: unusual service stops, AV/EDR process termination, registry changes that weaken security tools, and firewall or Microsoft Defender configuration changes. Its business value is in validating whether the organization can see early control-degradation activity before an incident becomes harder to contain or prove.
Executive priority
Prioritize this as a control-assurance and incident-readiness question: if endpoint protection, firewall, or Defender settings are disabled, can the SOC prove it quickly and escalate with confidence? Leaders should ask whether Windows service, process, registry, and security-configuration telemetry is retained and correlated well enough to support incident decisions, audit evidence, and resilience of endpoint security investments.
Technical view
For Windows environments, validate correlation across service stop events, process creation or termination involving AV/EDR processes, registry edits associated with disabling security tools, and firewall/Defender configuration changes. Because ATT&CK provides no separate detection text and no relationship context for this analytic, teams should treat the official description as the detection intent and tune it against local baselines for legitimate administration, endpoint agent upgrades, troubleshooting, and policy changes.
Likely telemetry
- Windows service control and service stop events
- Endpoint process creation and process termination telemetry
- Registry modification events related to security tool configuration
- Windows firewall configuration change logs
- Microsoft Defender configuration change logs
Detection direction
- Correlate service stop requests with nearby process activity and registry edits, rather than alerting on a single weak signal in isolation.
- Baseline legitimate security-tool maintenance, patching, policy deployment, and administrator troubleshooting to reduce false positives.
- Confirm visibility into both successful and attempted changes to services, registry keys, firewall settings, and Defender settings.
- Validate whether telemetry remains available if the endpoint agent itself is stopped or degraded.
- Use the analytic as a coverage test for SOC workflows: alert routing, triage evidence, escalation criteria, and incident response handoff.
Mitigation priorities
- Restrict administrative permissions that can stop security services or change endpoint security configuration.
- Use managed configuration and change control for firewall, Defender, and endpoint security settings.
- Enable tamper protection or equivalent hardening where supported by deployed security tools.
- Monitor endpoint security health and service status continuously, not only during investigations.
- Document approved maintenance windows and authorized administrators so detections can be triaged against known-good activity.
Analyst notes and limits
This object is a detection analytic, not a technique. ATT&CK lists Windows as the platform and describes the analytic around security tool disruption indicators, but provides no tactic, no official detection procedure, and no related techniques or relationships in the supplied data. The strongest use is as a validation checklist for endpoint telemetry and correlation logic.
The supplied ATT&CK fields do not identify specific products, registry paths, event IDs, tactics, adversary groups, or active exploitation. Local endpoint architecture, logging configuration, security tools, and change-management data are required to convert this analytic into reliable production detection.
Analytic 0886
Unusual service stop events, termination of AV/EDR processes, registry modifications disabling security tools, and firewall/defender configuration changes. Correlate process creation with service stop requests and registry edits.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d6a7b9854488… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0886Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.