Detects creation or modification of Windows Services through command-line tools (e.g., sc.exe, powershell.exe), Registry key changes under HKLM\System\CurrentControlSet\Services, and service execution under SYSTEM with unsigned or anomalous binary paths. Detects privilege escalation via driver installation or CreateServiceW usage. Correlates parent-child lineage, startup behavior, and rare service names.
| Data Component | Name | Channel |
|---|---|---|
| Service Creation (DC0060) | WinEventLog:Security | EventCode=4697 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| Driver Load (DC0079) | WinEventLog:Sysmon | EventCode=6 |
| Field | Description |
|---|---|
| ServiceNamePattern | Regex for suspicious or uncommon service names (e.g., `svhostx`, `winhelp`, etc.) |
| ImagePathFilter | Flag services whose image path resides in uncommon directories (e.g., `C:\Users\`, `C:\Temp\`) |
| DriverExtensionList | Watch for `.sys` files loaded by `sc`, Registry, or `ZwLoadDriver` APIs |
| StartupTypeChangeWindow | Temporal window to correlate Registry `Start` key changes with service creation |
| UnsignedBinaryAlert | Raise alerts for unsigned binaries registered as services |