Monitor for abnormal creation or modification of Windows services (e.g., via sc.exe, PowerShell, or API calls) that load non-standard executables. Correlate registry changes in service keys with service creation events and process execution to detect service abuse for persistence or execution.
| Data Component | Name | Channel |
|---|---|---|
| Service Creation (DC0060) | WinEventLog:Security | EventCode=4697 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| Field | Description |
|---|---|
| ServiceAllowlist | Known good services and installers that regularly modify or create services |
| TimeWindow | Threshold for correlating service creation with unusual process execution |
Detect unusual invocations of systemctl, service, or init scripts creating or modifying daemons. Monitor audit logs for execution of binaries from unexpected paths linked to service start/stop activity.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Service Creation (DC0060) | linux:syslog | systemctl start/enable with uncommon binary paths |
| File Modification (DC0061) | auditd:SYSCALL | write |
| Field | Description |
|---|---|
| ServiceBinaryPaths | Valid directories for service binaries to filter out benign changes |
| UserContext | Expected accounts performing service management (e.g., root/admin) |
Monitor launchd service definitions and property list (.plist) modifications for non-standard executables. Detect unauthorized processes registered as launch daemons or agents.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | Unexpected processes registered with launchd |
| File Modification (DC0061) | macos:unifiedlog | Modification of LaunchAgents or LaunchDaemons plist files |
| Field | Description |
|---|---|
| PlistAllowlist | Known launch agents/daemons expected to be modified by updates or IT tools |
| PayloadEntropyThreshold | Entropy level for detecting suspicious binary payloads in launchd services |