DET0552 Detection of Windows Service Creation or Modification

Item	Value
ID	DET0552
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1543.003 (Windows Service)

Analytics

Windows

AN1527

Detects creation or modification of Windows Services through command-line tools (e.g., sc.exe, powershell.exe), Registry key changes under HKLM\System\CurrentControlSet\Services, and service execution under SYSTEM with unsigned or anomalous binary paths. Detects privilege escalation via driver installation or CreateServiceW usage. Correlates parent-child lineage, startup behavior, and rare service names.

Log Sources

Data Component	Name	Channel
Service Creation (DC0060)	WinEventLog:Security	EventCode=4697
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Windows Registry Key Modification (DC0063)	WinEventLog:Sysmon	EventCode=13, 14
Driver Load (DC0079)	WinEventLog:Sysmon	EventCode=6

Mutable Elements

Field	Description
ServiceNamePattern	Regex for suspicious or uncommon service names (e.g., `svhostx`, `winhelp`, etc.)
ImagePathFilter	Flag services whose image path resides in uncommon directories (e.g., `C:\Users\`, `C:\Temp\`)
DriverExtensionList	Watch for `.sys` files loaded by `sc`, Registry, or `ZwLoadDriver` APIs
StartupTypeChangeWindow	Temporal window to correlate Registry `Start` key changes with service creation
UnsignedBinaryAlert	Raise alerts for unsigned binaries registered as services