AN1897: Analytic 1897

Monitor for changes made to files that may stop or disable services on a system to render those services unavailable to legitimate users. Monitor executed commands and arguments that may stop or disable services on a system to render those services unavailable to legitimate users. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting. For added context on adversary procedures and background see Service Stop. Monitor processes and command-line arguments to see if critical processes are terminated or stop running. For added context on adversary procedures and background see Service Stop. Alterations to the service binary path or the service startup type changed to disabled may be suspicious. Monitor for changes made to Windows registry keys and/or values that may stop or disable services on a system to render those services unavailable to legitimate users. Monitor for newly executed processes that may stop or disable services on a system to render those services unavailable to legitimate users.

ICSAN1897AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

Analytic 1897 is about watching for activity that stops, disables, or prevents services from running. For an ICS environment, this matters because loss of important services can quickly become an availability and operational-resilience issue, even when the activity looks like normal administration. The decision value is knowing whether the SOC can distinguish approved maintenance from suspicious service disruption using file-change, command-line, process, registry, and service-configuration evidence.

Executive priority

Treat this as an availability-control validation item. Leaders should ask which services are business- or operations-critical, who is allowed to stop or disable them, whether those actions are logged, and whether incident responders can quickly prove whether a service outage was authorized maintenance or potentially malicious disruption. Because the ATT&CK object provides no platform list, tactics, or relationships, priority should be driven by local critical-service dependency mapping and ICS operational impact analysis.

Technical view

SOC and IR teams should validate monitoring for service stop/disable behavior across the evidence types named by MITRE: file changes, executed commands and arguments, process execution, process termination or unexpected stoppage, service binary path changes, startup type changes to disabled, and Windows registry key/value changes related to services. The description also notes that remote access tools may interact directly with Windows APIs such as ChangeServiceConfigW, so detection should not rely only on common service-control utilities or command-line strings. Since no official detection logic is supplied, teams need to build and test environment-specific analytics around critical services and approved maintenance workflows.

Likely telemetry

File modification events affecting service configuration or service-related files
Process execution events and command-line arguments
Process termination or service stop events for critical processes
Service configuration change records, including binary path changes
Service startup type changes, especially changes to disabled

Detection direction

Baseline authorized service administration and maintenance windows before alerting on all service stops.
Prioritize services that support critical operations or ICS availability rather than treating every service change equally.
Detect both command-line service control and non-command-line mechanisms, including API-driven service configuration changes referenced by MITRE.
Correlate registry, process, file, and service-configuration changes to reduce false positives from legitimate patching, upgrades, or administrator troubleshooting.
Alert on suspicious combinations such as a critical process stopping, its service startup type changing to disabled, or its binary path being altered.

Mitigation priorities

Define and maintain an inventory of critical services and their operational owners.
Restrict who can stop, disable, or reconfigure critical services, using least privilege and change-control expectations.
Require documented maintenance procedures for planned service interruption so SOC teams have context for triage.
Harden and monitor remote access paths that could be used to change service configuration.
Ensure responders have playbooks for verifying service state, restoring intended configuration, and escalating potential operational impact.

Analyst notes and limits

This object is a detection analytic in the ICS ATT&CK domain and points to Service Stop for procedural context, but no relationship objects were supplied. The most useful implementation work is local: identify the services that matter, confirm telemetry coverage, and tune detection around authorized versus unauthorized service disruption.

The supplied object has no platforms, tactics, official detection logic, labels, aliases, or relationship context. Although the description names Windows registry keys and the Windows API, the platform field is not specified, so platform coverage should be validated locally rather than assumed from the object metadata. This take does not assert active exploitation, attribution, impact, or existing detection coverage.

Official MITRE ATT&CK definition

Analytic 1897

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 3c43fe0e02fb7fef...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`3c43fe0e02fb…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1897
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use