Adversaries may modify the binary file for an existing service to achieve Persistence while potentially evading defenses. If a newly created or modified runs as a service, it may indicate APT activity. However, services are frequently installed by legitimate software. A well-tuned baseline is essential to differentiating between benign and malicious service modifications.

Output Description

The Service Name and approximate time in which changes occurred on each host

ATT&CK Detection

Technique Tactic Level of Coverage
New Service Persistence, Privilege Escalation Moderate
Modify Existing Service Persistence Moderate
File System Permissions Weakness Persistence, Privilege Escalation Moderate
Service Execution Execution Moderate

Data Model References

Object Action Field
file create file_path
file create image_path
process create image_path
process create parent_exe



Look for events where a file was created and then later run as a service. In these cases, a new service has been created or the binary has been modified. Many programs, such as msiexec.exe, do these behaviors legitimately and can be used to help validate legitimate service creations/modifications.

legitimate_installers = ["C:\windows\system32\msiexec.exe", "C:\windows\syswow64\msiexec.exe", ...]

file_change = search File:Create,Modify
process = search Process:Create
service_process = filter processes where (parent_exe == "services.exe")
modified_service = join (search, filter) where (
 file_change.time < service_process.time and 
 file_change.file_path == service_process.image_path

modified_service = filter modified_service where (modified_service.file_change.image_path not in legitimate_installers)
output modified_service