DET0427 Detection Strategy for Hijack Execution Flow through Service Registry Premission Weakness.

Item	Value
ID	DET0427
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1574.011 (Services Registry Permissions Weakness)

Analytics

Windows

AN1195

Unauthorized modification of service-related registry keys such as ImagePath, FailureCommand, ServiceDll, or Performance/Parameters keys. Defender correlates registry modifications, anomalous service metadata changes, and subsequent service process executions that deviate from baseline configurations.

Log Sources

Data Component	Name	Channel
Windows Registry Key Modification (DC0063)	WinEventLog:Security	EventCode=4657
Service Modification (DC0065)	WinEventLog:System	EventCode=7040
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1

Mutable Elements

Field	Description
MonitoredServiceKeys	Registry subkeys for critical services (ImagePath, ServiceDll, FailureCommand, Parameters).
BaselineServiceConfig	Known good service registry configurations and paths for comparison.
TimeWindow	Correlation interval between registry/service modifications and service execution.
PrivilegedAccounts	Accounts permitted to modify service configurations.