Unauthorized modification of service-related registry keys such as ImagePath, FailureCommand, ServiceDll, or Performance/Parameters keys. Defender correlates registry modifications, anomalous service metadata changes, and subsequent service process executions that deviate from baseline configurations.
| Data Component | Name | Channel |
|---|---|---|
| Windows Registry Key Modification (DC0063) | WinEventLog:Security | EventCode=4657 |
| Service Modification (DC0065) | WinEventLog:System | EventCode=7040 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| MonitoredServiceKeys | Registry subkeys for critical services (ImagePath, ServiceDll, FailureCommand, Parameters). |
| BaselineServiceConfig | Known good service registry configurations and paths for comparison. |
| TimeWindow | Correlation interval between registry/service modifications and service execution. |
| PrivilegedAccounts | Accounts permitted to modify service configurations. |