ATT&CK v19 has been released! Check out the blog post for more information.

Service Modification

Changes made to an existing service or daemon, such as modifying the service name, start type, execution parameters, or security configurations.

ID: DC0065

Domains: ICS, Enterprise

Version: 2.1

Created: 20 October 2021

Last Modified: 20 April 2026

Log Sources

Name	Channel
esxi:hostd	service state change
Service	None
WinEventLog:Microsoft-IIS-Configuration	Module or ISAPI filter registration events
WinEventLog:System	EventCode=7040

ID	Name	Technique Detected
DET0497	Detection of Defense Impairment through Disabled or Modified Tools across OS Platforms.	T1685
DET0725	Detection of Masquerading	T0849
DET0427	Detection Strategy for Hijack Execution Flow through Service Registry Premission Weakness.	T1574.011
DET0068	Detection Strategy for T1505.004 - Malicious IIS Components	T1505.004