This note documents detection patterns related to Service Modification within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 7040 | Service start type changed | Critical | Detects service mode changes. |
| Security | 7045 | Service installed | Critical | Often adjacent when service altered or replaced. |
| Security | 4697 | Service installed | High | Security log service creation visibility. |
| Sysmon | 13 | Registry value set | Critical | Service ImagePath, Start, failure action changes. |
| Security | 4688 | Process creation | Critical | Detects sc.exe, PowerShell, reg.exe. |
| Sysmon | 1 | Process creation | Critical | Best lineage source for modification tooling. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| ImagePath changed | Service points to attacker payload | Critical | Core abuse primitive. |
| Start type changed to auto | Persistence activation | Critical | Common attacker step. |
| Failure action altered | Payload on service crash | High | Advanced persistence clue. |
| Existing service repointed | Trusted name, new binary | Critical | Strong stealth tactic. |
| Temp/AppData binary as service target | Strong anomaly | Critical | High-confidence signal. |
| Service restarts after edit | Trigger observed | High | Confirms activation |
Common Tools
| Tool | Usage |
|---|---|
| sc.exe | Service config changes |
| reg.exe | Direct registry edits |
| PowerShell | Set-Service / registry writes |
| services.msc | GUI modification |
Relevant Artifacts
- Security Event IDs 7040, 7045, 4697, 4688
- Sysmon Event IDs 13, 1
- Registry path:
HKLM\SYSTEM\CurrentControlSet\Services\
- Key values:
ImagePathStartFailureActions
- Prefetch:
SC.EXEREG.EXE
- Amcache / ShimCache
MITRE ATT&CK References
- T1543.003 Windows Service
- T1112 Modify Registry
Decision Tree
-
Which service modified?
- Existing
- Newly installed
-
Which value changed?
- ImagePath
- Start
- FailureActions
-
Binary trusted?
- System32
- Temp
- AppData
-
Trigger observed?
- Restart
- Boot
- Manual start
-
Expand:
- Adjacent persistence
- Privilege escalation
- Parent process
-
Scope:
- Single service
- Multiple services
- Campaign pattern
Example Detection Templates
KQL
SecurityEvent
| where EventID in (7040,7045,4697)
| project TimeGenerated, Computer, EventID, ServiceName
Sysmon
| where EventID == 13
| where TargetObject has "\\Services\\"
| project TimeGenerated, Computer, TargetObject, Details
EQL
registry where registry.path like "*\\Services\\*"
sequence by host.name with maxspan=10m
[ registry where registry.path like "*\\Services\\*" ]
[ process where process.name == "sc.exe" ]
Sigma
title: Service Modification Detection
id: 6a4e3c11-service-modification
status: experimental
description: Detects suspicious Windows service modifications
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
detection:
selection:
EventID:
- 7040
- 7045
- 4697
condition: selection
fields:
- ServiceName
falsepositives:
- Legitimate administration
level: high
tags:
- attack.persistence
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Alert on ImagePath changes | Critical service signal | Critical | Strong visibility |
| Baseline service binaries | Detect repoints | Critical | Low false positives |
| Registry monitoring | Watch Services tree | High | Essential context |
| Restrict service modification rights | Reduce abuse | High | Prevent persistence |
| Correlate with restart | Confirm activation | High | Strong forensic anchor |