AN1369: Analytic 1369
Detection of adversary behavior that disables or modifies security tools, including killing AV/EDR processes, stopping services, altering Sysmon registry keys, or tampering with exclusion lists. Defenders observe process/service termination, registry modification, and abnormal absence of expected telemetry.
Analyst context for executives and security teams
This analytic is about spotting attempts to weaken Windows security monitoring and protection, such as killing AV/EDR processes, stopping services, changing Sysmon-related registry keys, or modifying exclusion lists. For leaders, the practical issue is not just tool tampering; it is loss of visibility during an incident, which can delay containment, weaken audit evidence, and reduce confidence in SOC decisions.
Executive priority
Prioritize this as a resilience and assurance control: if security tools can be disabled or silently modified without rapid detection, incident response decisions may be made with incomplete evidence. Executives should ask whether Windows endpoint protection, logging, and monitoring health are independently validated, whether alerts exist for security service interruption, and whether compliance reporting can prove that expected telemetry was present during critical periods.
Technical view
For SOC, detection engineering, and IR teams, validate monitoring for Windows events showing process termination, service stop or configuration changes, registry modifications affecting Sysmon, and changes to security tool exclusion lists. Because the official object provides no tactic mapping, no relationships, and no standalone detection logic, teams should treat AN1369 as a coverage-validation prompt rather than a complete rule. IR playbooks should include checks for abnormal gaps in expected endpoint telemetry after suspected tampering.
Likely telemetry
- Windows process creation and termination telemetry
- Windows service control and service state-change events
- Registry modification events, especially for Sysmon-related keys
- Security tool configuration and exclusion-list change logs
- Endpoint protection or EDR health/status events
Detection direction
- Validate alerts for termination of security-related processes and stopping or disabling of security services.
- Monitor registry changes that affect logging or security tooling, including Sysmon-related configuration areas where collected.
- Detect changes to exclusion lists or security tool configuration that reduce scanning or monitoring scope.
- Use absence-of-telemetry checks carefully: missing endpoint events, missed heartbeats, or sudden logging gaps can be high-value but need tuning for maintenance windows, agent upgrades, and network outages.
- Correlate tampering indicators with administrative context to reduce false positives from approved security operations or software maintenance.
Mitigation priorities
- Establish and document expected Windows endpoint telemetry, service states, and security tool health signals.
- Restrict who can stop security services, modify protection settings, change exclusions, or alter logging-related registry keys.
- Create operational alerts for unauthorized or unexpected security tool shutdown, configuration change, or telemetry loss.
- Include security-tool tampering checks in incident response triage and evidence-preservation procedures.
- Review maintenance and change-management processes so legitimate updates do not create unmanaged detection blind spots.
Analyst notes and limits
AN1369 is a detection analytic in the enterprise ATT&CK domain for Windows. The supplied ATT&CK description gives useful behavior categories, but there are no supplied relationships, tactic mappings, or formal detection pseudocode. The decision value is to test whether endpoint security health and telemetry integrity are monitored, not to assume a finished detection exists.
This take is limited to the supplied STIX fields and external reference. It does not assert active exploitation, actor use, specific products, coverage guarantees, or non-Windows applicability. Local endpoint tooling, logging configuration, administrative workflows, and maintenance practices are required to determine actual detection quality.
Analytic 1369
Detection of adversary behavior that disables or modifies security tools, including killing AV/EDR processes, stopping services, altering Sysmon registry keys, or tampering with exclusion lists. Defenders observe process/service termination, registry modification, and abnormal absence of expected telemetry.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7e04aec17b93… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1369Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.