Service Modification Use Cases

Grouped by Detection Method

MITRE ATT&CK Framework: Modify Existing Service (T1031)

Service modification can be used by an adversary to achieve persistence.

Aggregate Count

Blacklist Alert

Whitelist Alert

Levenshtein Score Alert

Rolling Whitelist Alert

Newly observed Source User

Shannon Entropy Score Alert

Threshold Alert

Log Source Examples

Possible False Positives