DET0571 Detection of System Process Creation or Modification Across Platforms

Item	Value
ID	DET0571
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1543 (Create or Modify System Process)

Analytics

Windows

AN1575

Detects command-line or API-based creation/modification of Windows Services via sc.exe, powershell.exe, services.exe, or ChangeServiceConfig. Looks for creation/modification of autostart services via registry changes, file drops to System32\services, and anomalous parent-child process trees.

Log Sources

Data Component	Name	Channel
Service Creation (DC0060)	WinEventLog:Security	EventCode=4697
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Windows Registry Key Modification (DC0063)	WinEventLog:Sysmon	EventCode=13, 14

Mutable Elements

Field	Description
ServiceNamePattern	Regex patterns to flag unusual service names or binaries
ParentProcessFilter	List of non-administrative processes starting service management tools
RegistryPathList	Monitored autorun locations (e.g., `HKLM\System\CurrentControlSet\Services`)

Linux

AN1576

Detects creation or modification of systemd service units, addition of cron jobs that invoke binaries on boot, or suspicious writes to /etc/init.d/. Monitors chmod +x and systemctl execution paths, especially from non-root parent processes.

Log Sources

Data Component	Name	Channel
File Modification (DC0061)	auditd:SYSCALL	write or rename to /etc/systemd/system or /etc/init.d
Command Execution (DC0064)	auditd:SYSCALL	execution of systemctl or service with enable/start/modify

Mutable Elements

Field	Description
ServicePathRegex	Path-based filters to identify service unit files or init scripts
UserContextList	List of expected user contexts that normally perform service changes
CommandNameList	Binaries used to register/modify services

macOS

AN1577

Detects creation or modification of LaunchDaemon or LaunchAgent plist files under /Library/LaunchDaemons/, ~/Library/LaunchAgents/, or similar. Monitors execution of launchctl, property list edits, and file permission changes.

Log Sources

Data Component	Name	Channel
Command Execution (DC0064)	macos:unifiedlog	launchctl load/unload or plist file modification
File Modification (DC0061)	fs:fsusage	file write to launchd plist paths

Mutable Elements

Field	Description
PlistPathList	Watched directories for LaunchDaemons and LaunchAgents
PlistKeyMonitor	Monitored keys such as `RunAtLoad`, `KeepAlive`, or `ProgramArguments`
UnsignedBinaryAlert	Flag execution of unsigned or non-Apple-signed binaries within plist

Containers

AN1578

Detects creation of new container system processes via docker run --restart, kubectl exec to init containers, or modification of container init specs. Flags container images that override entrypoints to embed persistence behaviors.

Log Sources

Data Component	Name	Channel
Container Creation (DC0072)	docker:events	docker run with restart=always or modifying init
File Modification (DC0061)	auditd:SYSCALL	modification of entrypoint scripts or init containers

Mutable Elements

Field	Description
EntrypointOverridePattern	Patterns used to detect modified container start scripts
RestartPolicyMatch	Policy values triggering alert (e.g., always, on-failure)
KubeInitModPath	Path filters for `/etc/init.d/`-like behaviors inside containers