1. Home
  2. Data Components
  3. Service Modification

Service Modification

Changes made to an existing service or daemon, such as modifying the service name, start type, execution parameters, or security configurations.

*Data Collection Measures: *

  • Windows Event Logs
    • Event ID 7040 - Detects modifications to the startup behavior of a service.
    • Event ID 7045 - Can capture changes made to existing services.
    • Event ID 7036 - Tracks when services start or stop, potentially indicating malicious tampering.
    • Event ID 4697 - Can detect when an adversary reinstalls a service with different parameters.
  • Sysmon Logs
    • Sysmon Event ID 13 - Detects changes to service configurations in the Windows Registry (e.g., HKLM\SYSTEM\CurrentControlSet\Services\).
    • Sysmon Event ID 1 - Can track execution of sc.exe or PowerShell Set-Service.
  • PowerShell Logging
    • Event ID 4104 (Script Block Logging) - Captures execution of commands like Set-Service, New-Service, or sc config.
    • Command-Line Logging (Event ID 4688) - Tracks usage of service modification commands:
      • sc config <service_name> start= auto
      • sc qc <service_name>
  • Linux/macOS Collection Methods
    • Systemd Journals (journalctl -u <service_name>) Tracks modifications to systemd service configurations.
    • Daemon Logs (/var/log/syslog, /var/log/messages, /var/log/daemon.log) Captures changes to service state and execution parameters.
    • AuditD Rules for Service Modification
      • Monitor modifications to /etc/systemd/system/ for new or altered service unit files: auditctl -w /etc/systemd/system/ -p wa -k service_modification
      • Track execution of systemctl or service commands: auditctl -a always,exit -F arch=b64 -S execve -F a0=systemctl -F key=service_mod
    • OSQuery for Linux/macOS Monitoring
      • Query modified services using OSQuery’s processes or system_info tables: SELECT * FROM systemd_units WHERE state != 'running';
    • macOS Launch Daemon/Agent Modification
      • Monitor for changes in:
        • /Library/LaunchDaemons/
        • /Library/LaunchAgents/
      • Track modifications to .plist files indicating persistence attempts.
ID: DC0065
Domains: ICS, Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 21 October 2025

Log Sources

Name Channel
Service None
WinEventLog:Microsoft-IIS-Configuration Module or ISAPI filter registration events
WinEventLog:System EventCode=7040

Detection Strategy

ID Name Technique Detected
DET0725 Detection of Masquerading T0849
DET0427 Detection Strategy for Hijack Execution Flow through Service Registry Premission Weakness. T1574.011
DET0068 Detection Strategy for T1505.004 - Malicious IIS Components T1505.004