Service Creation Use Cases

Grouped by Detection Method

MITRE ATT&CK Framework: New Service (T1050), Service Execution (T1035)

Service creation can be used by an adversary to achieve persistence.

Aggregate Count

Blacklist Alert

Whitelist Alert

Anomalous Services

Levenshtein Score Alert

Rolling Whitelist Alert

Newly observed Service File Name, Service Account

Shannon Entropy Score Alert

Threshold Alert

Log Source Examples

Windows Security Event ID 4697

Possible False Positives