Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1195: Analytic 1195

Unauthorized modification of service-related registry keys such as ImagePath, FailureCommand, ServiceDll, or Performance/Parameters keys. Defender correlates registry modifications, anomalous service metadata changes, and subsequent service process executions that deviate from baseline configurations.

EnterpriseAN1195AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN1195 focuses on unauthorized changes to Windows service-related registry keys. For leaders, the practical issue is not the registry itself; it is whether the organization can notice when a critical service’s launch path, recovery command, DLL loading path, or performance parameters change from an approved baseline. These changes can alter service behavior and complicate incident response if teams lack reliable service configuration history.

Executive priority

Prioritize this analytic where Windows services support business-critical operations, privileged infrastructure, endpoint management, or regulated systems. Leaders should ask whether SOC and IR teams can prove when service configurations changed, who or what changed them, and whether a changed service later executed in an unexpected way. This is also useful audit evidence for change control, endpoint hardening, and operational resilience reviews.

Technical view

The supplied analytic is Windows-focused and describes correlation across service-related registry modifications, anomalous service metadata changes, and subsequent service process executions that deviate from baseline configurations. SOC and detection teams should validate visibility into modifications to keys and values such as ImagePath, FailureCommand, ServiceDll, and Performance/Parameters, then compare those changes against known-good service baselines and expected change windows. Because no ATT&CK tactic or relationship context is supplied, treat this as a behavior-level detection building block rather than a complete attack narrative.

Likely telemetry

  • Windows registry modification events for service-related keys and values
  • Service configuration and service metadata change records
  • Process execution telemetry for services after configuration changes
  • Approved service configuration baselines or asset/change-management records
  • Identity or account context for the process or user that modified the registry

Detection direction

  • Validate that registry auditing or endpoint telemetry captures service-related key/value changes with actor, process, host, and timestamp context.
  • Tune against legitimate software updates, service installations, driver updates, and administrative maintenance to reduce false positives.
  • Correlate a registry change with later service execution that differs from the approved baseline, rather than alerting only on any single registry write.
  • Prioritize deviations involving sensitive values named in the analytic: ImagePath, FailureCommand, ServiceDll, and Performance/Parameters.
  • Check for blind spots on servers or endpoints where registry telemetry, service metadata history, or process execution logging is incomplete.

Mitigation priorities

  • Establish and maintain approved baselines for Windows service configurations on critical systems.
  • Restrict and monitor administrative permissions capable of changing service-related registry keys.
  • Integrate service configuration changes with formal change-management evidence so SOC analysts can quickly separate authorized maintenance from suspicious drift.
  • Harden endpoint logging and retention so incident responders can reconstruct the sequence from registry change to service execution.
  • Review critical Windows services periodically for unauthorized or unexplained configuration drift.
Analyst notes and limits

This take is based only on the supplied MITRE analytic description for AN1195. The strongest operational use is as a correlation pattern: service registry modification plus metadata drift plus subsequent service execution compared with baseline. Local baselines, change windows, and endpoint telemetry quality will determine usefulness.

No official detection logic, ATT&CK tactics, technique relationships, adversary relationships, or test procedure details were supplied. The object only supports Windows-specific guidance. It does not support claims about active exploitation, attribution, prevalence, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Analytic 1195

Unauthorized modification of service-related registry keys such as ImagePath, FailureCommand, ServiceDll, or Performance/Parameters keys. Defender correlates registry modifications, anomalous service metadata changes, and subsequent service process executions that deviate from baseline configurations.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
efab4db8c4a9083b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle efab4db8c4a9…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1195
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use