AN1061: Analytic 1061
Unauthorized or anomalous loading of kernel-mode drivers or DLLs, concealed services, or abnormal modification of boot components indicative of rootkit activity.
Analyst context for executives and security teams
AN1061 is a Windows-focused detection analytic for signs of possible rootkit activity: unusual kernel-mode driver or DLL loading, hidden or concealed services, and abnormal changes to boot components. For leaders, the practical issue is trust: if attackers can operate at this level, normal endpoint visibility and response actions may be less reliable, so organizations need evidence that they can detect suspicious low-level persistence or tampering before it affects recovery confidence.
Executive priority
Prioritize this analytic where Windows systems are critical to business operations, privileged administration, or incident recovery. The decision value is not simply whether an alert exists, but whether security teams can prove they collect the right endpoint and system-change evidence to recognize suspicious driver, service, and boot-component behavior. This supports resilience planning, incident response readiness, and audit discussions around endpoint control integrity. Because ATT&CK provides no tactic mapping, detection logic, or relationships for this object, local risk ranking should be based on the importance of Windows assets and the organization’s ability to validate low-level system integrity.
Technical view
SOC and IR teams should treat AN1061 as a validation target for Windows telemetry covering kernel-mode driver or DLL load activity, service visibility and service state changes, and boot-component modification events. Since the official detection field is not provided, teams should not assume a ready-made rule exists. Instead, validate that collection, normalization, and alerting can distinguish expected administrative, update, and security-tool behavior from unauthorized or anomalous activity involving drivers, concealed services, or boot-related components.
Likely telemetry
- Windows endpoint telemetry for kernel-mode driver loading
- Windows DLL load or module-load telemetry where available
- Service creation, modification, state, and visibility data
- Boot configuration or boot component change records
- Endpoint security or EDR events related to driver, service, and system integrity changes
Detection direction
- Confirm whether Windows systems generate and retain telemetry for driver loads, service changes, and boot-component modifications.
- Baseline approved drivers, services, security tools, and operating system update behavior to reduce false positives from legitimate software maintenance.
- Tune for anomalies such as unexpected kernel-mode driver loading, services that are difficult to enumerate or appear inconsistent with inventory, and boot component changes outside approved maintenance windows.
- Correlate endpoint events with administrative change tickets and privileged account activity before escalating, because legitimate drivers and service changes can be noisy.
- Review blind spots where endpoint agents may not see low-level activity, where logs are short-lived, or where boot integrity evidence is not centrally collected.
Mitigation priorities
- Maintain a controlled inventory of approved Windows drivers, services, and boot-related components.
- Restrict and monitor privileged administrative actions that can install drivers, alter services, or change boot components.
- Use change-management controls for driver, service, and boot configuration changes on critical Windows systems.
- Harden endpoint configurations to limit unauthorized code and driver installation where operationally feasible.
- Ensure incident response procedures include validation of system integrity and recovery trust when rootkit-like activity is suspected.
Analyst notes and limits
This object is a detection analytic, not a technique description. The supplied ATT&CK fields identify the platform as Windows and describe rootkit-indicative behavior, but provide no official detection logic, tactic mapping, labels, aliases, or relationship context. The most useful Glexia application is therefore a coverage and readiness review: can the organization observe and explain driver, service, and boot-component changes on Windows systems?
The official detection field is not provided, and no relationships were supplied. This take does not assert active exploitation, attribution, specific ATT&CK technique coverage, or guaranteed detection. Local endpoint tooling, logging depth, asset criticality, and administrative practices are required to determine actual coverage and priority.
Analytic 1061
Unauthorized or anomalous loading of kernel-mode drivers or DLLs, concealed services, or abnormal modification of boot components indicative of rootkit activity.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e70b3327d874… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1061Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.