T1543

Create or Modify System Process

Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters. Adversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect. Services, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges.

Microsoft Sentinel / Defender

kusto

let SuspiciousServicePaths = dynamic([
  "\\Temp\\", "\\AppData\\", "\\Downloads\\", "\\Public\\",
  "\\Users\\Public\\", "%TEMP%", "%APPDATA%", "%PUBLIC%"
]);
let KnownLOLBins = dynamic([
  "powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe",
  "mshta.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe",
  "bitsadmin.exe", "wmic.exe", "msbuild.exe"
]);
// Branch 1: New service installation via sc.exe or PowerShell New-Service
let NewServiceCreation = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "sc.exe" and ProcessCommandLine has_any ("create", "config")
  or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("New-Service", "Set-Service", "sc.exe create"))
| extend DetectionType = "NewServiceCreation"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Branch 2: Service binary in suspicious path (registry write to Services key)
let SuspiciousServiceBinary = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services"
| where RegistryValueName =~ "ImagePath"
| where RegistryValueData has_any (SuspiciousServicePaths)
      or RegistryValueData has_any (KnownLOLBins)
| extend DetectionType = "SuspiciousServiceBinaryPath"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RegistryKey,
          RegistryValueName, RegistryValueData, InitiatingProcessFileName,
          InitiatingProcessCommandLine, DetectionType;
// Branch 3: Service installed by unusual parent (Office apps, script interpreters)
let UnusualParentService = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "sc.exe" and ProcessCommandLine has "create"
| where InitiatingProcessFileName in~ (
    "winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe",
    "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe"
  )
| extend DetectionType = "ServiceCreatedByOfficeOrScript"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Branch 4: New service type 0x10 (WIN32_OWN_PROCESS) with autostart via reg
let AutostartServiceReg = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services"
| where RegistryValueName =~ "Start" and RegistryValueData in ("2", "0") // Auto or Boot
| where InitiatingProcessFileName !in~ (
    "services.exe", "svchost.exe", "msiexec.exe", "TrustedInstaller.exe",
    "WmiPrvSE.exe", "MsMpEng.exe"
  )
| extend DetectionType = "AutostartServiceRegistered"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RegistryKey,
          RegistryValueName, RegistryValueData, InitiatingProcessFileName,
          InitiatingProcessCommandLine, DetectionType;
union NewServiceCreation, UnusualParentService
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Windows Registry: Registry Key Modification Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents

False Positives

Legitimate software installers (MSI packages, vendor setup.exe) that register services during installation — typically identified by msiexec.exe or setup.exe as parent process
IT management tools such as SCCM, Ansible, or Puppet that create or modify services as part of configuration management workflows
Security products (EDR agents, AV engines, backup software) that install kernel-level or user-mode services during deployment or updates
Software developers testing or deploying Windows services locally, particularly from development directories that may match suspicious path patterns
System administrators manually configuring services via sc.exe or PowerShell during maintenance windows — correlate with change management tickets

Splunk

spl

index=wineventlog (
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  OR (sourcetype="WinEventLog:Security" EventCode IN (4697, 7045))
  OR (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode IN (12, 13, 14))
)
| eval DetectionBranch=case(
    EventCode=1 AND (match(Image, "(?i)\\\\sc\.exe$") AND match(CommandLine, "(?i)(create|config)")), "sc_exe_service_create",
    EventCode=1 AND match(Image, "(?i)\\\\(powershell|pwsh)\.exe$") AND match(CommandLine, "(?i)(New-Service|Set-Service)"), "powershell_new_service",
    EventCode IN (4697, 7045), "security_service_install",
    EventCode IN (12, 13, 14) AND match(TargetObject, "(?i)SYSTEM\\\\CurrentControlSet\\\\Services"), "registry_service_modification",
    true(), null()
  )
| where isnotnull(DetectionBranch)
| eval ServiceName=case(
    EventCode=4697, mvindex(split(Message, "\n"), 0),
    EventCode=7045, ServiceName,
    EventCode=1, replace(CommandLine, ".*?(?:create|New-Service)\\s+([\\w-]+).*", "\\1"),
    EventCode IN (12,13,14), replace(TargetObject, ".*Services\\\\([^\\\\]+).*", "\\1"),
    true(), "unknown"
  )
| eval SuspiciousPath=if(
    match(coalesce(ServiceFileName, CommandLine, RegistryValueData, ""),
      "(?i)(\\\\temp\\\\|\\\\appdata\\\\|\\\\downloads\\\\|\\\\public\\\\|%temp%|%appdata%)"),
    1, 0
  )
| eval LOLBinService=if(
    match(coalesce(ServiceFileName, CommandLine, RegistryValueData, ""),
      "(?i)(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe)"),
    1, 0
  )
| eval UnusualParent=if(
    EventCode=1 AND match(ParentImage,
      "(?i)(winword|excel|powerpnt|outlook|wscript|cscript|mshta|rundll32)\.exe"),
    1, 0
  )
| eval RiskScore=SuspiciousPath + LOLBinService + UnusualParent
| eval SuspicionFlags=mvappend(
    if(SuspiciousPath=1, "suspicious_path", null()),
    if(LOLBinService=1, "lolbin_service", null()),
    if(UnusualParent=1, "unusual_parent", null())
  )
| table _time, host, User, DetectionBranch, ServiceName, CommandLine, ParentImage, 
        ParentCommandLine, SuspiciousPath, LOLBinService, UnusualParent, RiskScore, SuspicionFlags
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Windows Registry: Registry Key Modification Windows Event Log: Security Sysmon Event IDs 1, 12, 13, 14

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Legitimate software installers (MSI packages, vendor setup.exe) that register services during installation — typically identified by msiexec.exe or setup.exe as parent process
IT management tools such as SCCM, Ansible, or Puppet that create or modify services as part of configuration management workflows
Security products (EDR agents, AV engines, backup software) that install kernel-level or user-mode services during deployment or updates
Software developers testing or deploying Windows services locally, particularly from development directories that may match suspicious path patterns
System administrators manually configuring services via sc.exe or PowerShell during maintenance windows — correlate with change management tickets

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [any where event.category == "process" and
   (
     (process.name : "sc.exe" and process.args : ("create", "config")) or
     (process.name : ("powershell.exe", "pwsh.exe") and process.args : ("New-Service", "Set-Service", "sc.exe"))
   )
  ] by process.entity_id

sequence by host.name with maxspan=1m
  [process where event.type == "start" and
   process.name : "sc.exe" and process.args : "create" and
   process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe",
                           "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
  ]

process where event.type == "start" and
(
  (
    process.name : "sc.exe" and
    process.args : ("create", "config") and
    not process.parent.name : ("services.exe", "svchost.exe", "msiexec.exe")
  ) or
  (
    process.name : ("powershell.exe", "pwsh.exe") and
    process.args : ("New-Service", "Set-Service")
  ) or
  (
    process.name : "sc.exe" and process.args : "create" and
    process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe",
                            "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
  )
) or
registry where event.type in ("creation", "change") and
  registry.path : "HKLM\\SYSTEM\\CurrentControlSet\\Services\\*\\ImagePath" and
  (
    registry.data.strings : ("*\\Temp\\*", "*\\AppData\\*", "*\\Downloads\\*",
                              "*\\Public\\*", "%TEMP%*", "%APPDATA%*") or
    registry.data.strings : ("*powershell.exe*", "*cmd.exe*", "*wscript.exe*",
                              "*cscript.exe*", "*mshta.exe*", "*regsvr32.exe*",
                              "*rundll32.exe*", "*certutil.exe*", "*bitsadmin.exe*")
  ) or
registry where event.type in ("creation", "change") and
  registry.path : "HKLM\\SYSTEM\\CurrentControlSet\\Services\\*\\Start" and
  registry.data.strings : ("2", "0") and
  not process.name : ("services.exe", "svchost.exe", "msiexec.exe",
                       "TrustedInstaller.exe", "WmiPrvSE.exe", "MsMpEng.exe")

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Windows Security Event Logs

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.registry-* winlogbeat-*

False Positives

Legitimate software installers (MSI packages, setup.exe) frequently create services during installation — filter by process.parent.name of msiexec.exe or setup-related processes
IT administration tools such as SCCM, Ansible, or Puppet may create or modify services as part of configuration management — build allowlists for known admin tool paths and accounts
Security products (EDR agents, AV engines) routinely register autostart services during updates — whitelist known security vendor process names and signed binary paths

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  LOGSOURCENAME(logsourceid) AS log_source,
  username,
  QIDNAME(qid) AS event_name,
  EventID,
  CommandLine,
  ParentProcessPath,
  ProcessPath,
  CASE
    WHEN EventID IN (7045, 4697) THEN 'security_service_install_event'
    WHEN EventID = 1 AND CommandLine ILIKE '%sc.exe%create%' THEN 'sc_exe_service_creation'
    WHEN EventID = 1 AND (CommandLine ILIKE '%New-Service%' OR CommandLine ILIKE '%Set-Service%') THEN 'powershell_service_creation'
    WHEN EventID = 1 AND CommandLine ILIKE '%sc.exe%create%'
      AND ParentProcessPath ILIKE ANY ('%winword.exe', '%excel.exe', '%powerpnt.exe',
                                       '%wscript.exe', '%cscript.exe', '%mshta.exe', '%rundll32.exe') THEN 'unusual_parent_service_creation'
    WHEN EventID IN (12, 13) AND RegistryPath ILIKE '%CurrentControlSet\\Services%' THEN 'registry_service_modification'
    ELSE 'unknown'
  END AS detection_branch,
  CASE
    WHEN CommandLine ILIKE ANY ('%\\Temp\\%', '%\\AppData\\%', '%\\Downloads\\%',
                                '%\\Public\\%', '%TEMP%', '%APPDATA%') THEN 1
    ELSE 0
  END AS suspicious_path,
  CASE
    WHEN CommandLine ILIKE ANY ('%powershell.exe%', '%cmd.exe%', '%wscript.exe%',
                                '%cscript.exe%', '%mshta.exe%', '%rundll32.exe%',
                                '%regsvr32.exe%', '%certutil.exe%', '%bitsadmin.exe%') THEN 1
    ELSE 0
  END AS lolbin_service,
  CASE
    WHEN EventID = 1 AND ParentProcessPath ILIKE ANY
      ('%winword.exe', '%excel.exe', '%powerpnt.exe', '%outlook.exe',
       '%wscript.exe', '%cscript.exe', '%mshta.exe', '%rundll32.exe') THEN 1
    ELSE 0
  END AS unusual_parent
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 14, 397)  -- Windows Security, Sysmon, System
  AND (
    EventID IN (7045, 4697)
    OR (
      EventID = 1 AND (
        (CommandLine ILIKE '%sc.exe%' AND (CommandLine ILIKE '%create%' OR CommandLine ILIKE '%config%'))
        OR (CommandLine ILIKE '%powershell%' AND (CommandLine ILIKE '%New-Service%' OR CommandLine ILIKE '%Set-Service%'))
      )
    )
    OR (
      EventID IN (12, 13) AND
      RegistryPath ILIKE '%SYSTEM\\CurrentControlSet\\Services%' AND
      (
        RegistryPath ILIKE '%ImagePath%' OR
        RegistryPath ILIKE '%\\Start'
      )
    )
  )
  AND (
    suspicious_path = 1 OR lolbin_service = 1 OR unusual_parent = 1 OR EventID IN (7045, 4697)
  )
ORDER BY starttime DESC
LAST 24 HOURS

high severity high confidence

Data Sources

Windows Security Event Log Sysmon Operational Log Windows System Event Log

Required Tables

events

False Positives

Software deployment systems (SCCM, PDQ Deploy, Chocolatey) routinely create services — correlate with known software deployment windows and authorized maintenance accounts
Security monitoring agents (CrowdStrike Falcon, Cylance, Carbon Black) update their own services and may trigger registry modification alerts — build exclusions for signed binaries from known security vendors
Development and testing environments may have developers creating test services via PowerShell New-Service — separate production and non-production log source groups

Sumo Logic CSE

sql

_sourceCategory=windows* AND (
  ("EventCode=7045" OR "EventCode=4697") OR
  ("EventCode=1" AND ("sc.exe" AND ("create" OR "config"))) OR
  ("EventCode=1" AND ("New-Service" OR "Set-Service")) OR
  ("EventCode=12" OR "EventCode=13") AND "CurrentControlSet\Services"
)
| parse "EventCode=*" as EventCode
| parse regex "(?i)CommandLine=(?P<CommandLine>[^\n]+)" nodrop
| parse regex "(?i)ParentImage=(?P<ParentImage>[^\n]+)" nodrop
| parse regex "(?i)Image=(?P<Image>[^\n]+)" nodrop
| parse regex "(?i)TargetObject=(?P<RegistryKey>[^\n]+)" nodrop
| parse regex "(?i)ServiceFileName=(?P<ServiceFileName>[^\n]+)" nodrop
| parse regex "(?i)User=(?P<User>[^\n]+)" nodrop
| parse regex "(?i)Computer=(?P<Computer>[^\n]+)" nodrop
| eval DetectionBranch = if(EventCode in ("7045", "4697"), "security_service_install",
  if(EventCode == "1" and matches(CommandLine, "(?i)sc\.exe") and matches(CommandLine, "(?i)(create|config)"), "sc_exe_service_create",
  if(EventCode == "1" and matches(CommandLine, "(?i)(New-Service|Set-Service)"), "powershell_new_service",
  if((EventCode == "12" or EventCode == "13") and matches(RegistryKey, "(?i)CurrentControlSet.Services"), "registry_service_modification",
  "other"))))
| where DetectionBranch != "other"
| eval SuspiciousPath = if(
    matches(coalesce(ServiceFileName, CommandLine, ""), "(?i)(\\\\temp\\\\|\\\\appdata\\\\|\\\\downloads\\\\|\\\\public\\\\|%temp%|%appdata%)"),
    1, 0)
| eval LOLBinService = if(
    matches(coalesce(ServiceFileName, CommandLine, ""), "(?i)(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe)"),
    1, 0)
| eval UnusualParent = if(
    EventCode == "1" and matches(ParentImage, "(?i)(winword|excel|powerpnt|outlook|wscript|cscript|mshta|rundll32)\.exe"),
    1, 0)
| eval RiskScore = SuspiciousPath + LOLBinService + UnusualParent
| eval SuspicionFlags = concat(
    if(SuspiciousPath == 1, "suspicious_path ", ""),
    if(LOLBinService == 1, "lolbin_service ", ""),
    if(UnusualParent == 1, "unusual_parent ", "")
  )
| where RiskScore > 0 or DetectionBranch == "security_service_install"
| fields _messageTime, Computer, User, DetectionBranch, CommandLine, Image, ParentImage, ServiceFileName, RegistryKey, RiskScore, SuspicionFlags
| sort by _messageTime desc

high severity high confidence

Data Sources

Windows Security Event Log Sysmon Operational Log via Sumo Logic Installed Collector

Required Tables

_sourceCategory=windows*

False Positives

Windows Update and patch management processes (TiWorker.exe, TrustedInstaller.exe) create and modify services during OS updates — filter by known Windows Update process names and system accounts
Virtualization software (VMware Tools, VirtualBox Guest Additions) creates services during installation and updates — allowlist known vendor-signed process paths
Custom enterprise monitoring agents deployed by IT operations may trigger registry modification detections — coordinate with IT ops for known deployment accounts and time windows

Google Chronicle / SecOps

yaral

rule t1543_create_modify_system_process {
  meta:
    author = "Detection Engineering"
    description = "Detects creation or modification of Windows system services via sc.exe, PowerShell, or direct registry writes to CurrentControlSet\\Services. Covers LOLBin-based services, suspicious binary paths, and unusual parent process chains."
    mitre_attack_tactic = "Persistence, Privilege Escalation"
    mitre_attack_technique = "T1543"
    mitre_attack_subtechnique = "T1543.003"
    severity = "HIGH"
    priority = "HIGH"

  events:
    // Branch 1: sc.exe or PowerShell service creation
    $e1.metadata.event_type = "PROCESS_LAUNCH"
    $e1.principal.hostname = $hostname
    (
      (
        re.regex($e1.target.process.file.full_path, `(?i)\\sc\.exe$`) and
        re.regex($e1.target.process.command_line, `(?i)(create|config)`)
      ) or
      (
        re.regex($e1.target.process.file.full_path, `(?i)\\(powershell|pwsh)\.exe$`) and
        re.regex($e1.target.process.command_line, `(?i)(New-Service|Set-Service)`)
      )
    )

  condition:
    $e1
}

rule t1543_service_registry_modification {
  meta:
    author = "Detection Engineering"
    description = "Detects suspicious registry modifications to HKLM\\SYSTEM\\CurrentControlSet\\Services including ImagePath set to suspicious locations or LOLBin executables, and autostart (Start=2/0) values written by non-system processes."
    mitre_attack_tactic = "Persistence, Privilege Escalation"
    mitre_attack_technique = "T1543"
    mitre_attack_subtechnique = "T1543.003"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e2.metadata.event_type = "REGISTRY_MODIFICATION"
    $e2.principal.hostname = $hostname
    re.regex($e2.target.registry.registry_key, `(?i)HKLM\\SYSTEM\\CurrentControlSet\\Services`)
    (
      (
        $e2.target.registry.registry_value_name = "ImagePath" and
        (
          re.regex($e2.target.registry.registry_value_data, `(?i)(\\temp\\|\\appdata\\|\\downloads\\|\\public\\|%temp%|%appdata%)`) or
          re.regex($e2.target.registry.registry_value_data, `(?i)(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe)`)
        )
      ) or
      (
        $e2.target.registry.registry_value_name = "Start" and
        $e2.target.registry.registry_value_data in ("2", "0") and
        not re.regex($e2.principal.process.file.full_path, `(?i)(services\.exe|svchost\.exe|msiexec\.exe|TrustedInstaller\.exe|WmiPrvSE\.exe|MsMpEng\.exe)`)
      )
    )

  condition:
    $e2
}

rule t1543_service_unusual_parent {
  meta:
    author = "Detection Engineering"
    description = "Detects sc.exe service creation invoked by Office applications or script interpreters, indicating possible macro or script-based lateral movement/persistence."
    mitre_attack_tactic = "Persistence, Privilege Escalation"
    mitre_attack_technique = "T1543"
    mitre_attack_subtechnique = "T1543.003"
    severity = "CRITICAL"
    priority = "CRITICAL"

  events:
    $e3.metadata.event_type = "PROCESS_LAUNCH"
    $e3.principal.hostname = $hostname
    re.regex($e3.target.process.file.full_path, `(?i)\\sc\.exe$`)
    re.regex($e3.target.process.command_line, `(?i)create`)
    re.regex($e3.principal.process.file.full_path,
      `(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe)`)

  condition:
    $e3
}

high severity high confidence

Data Sources

Google Chronicle UDM Windows Event Logs via Chronicle Forwarder Sysmon via Chronicle Forwarder

Required Tables

PROCESS_LAUNCH REGISTRY_MODIFICATION

False Positives

Enterprise software deployment pipelines (Intune, SCCM) create services as part of managed application installs — apply reference list exclusions for known MDM/deployment system hostnames and service accounts
Development workstations where developers test service-based applications via PowerShell New-Service — scope detection to production and server asset groups, or reduce severity for developer workstation segments
Backup and recovery software (Veeam, Acronis, Veritas) installs services via MSI with PowerShell wrappers — allowlist known backup agent binary hashes or signing certificate subjects

CrowdStrike LogScale (CQL)

cql

// Branch 1: sc.exe or PowerShell service creation
#event_simpleName=ProcessRollup2
| FileName in ("sc.exe", "powershell.exe", "pwsh.exe")
| CommandLine = /(?i)(sc\.exe.*(create|config)|New-Service|Set-Service)/
| NOT ParentBaseFileName in ("services.exe", "svchost.exe", "msiexec.exe", "TrustedInstaller.exe")
| eval DetectionBranch = case(
    FileName == "sc.exe" AND CommandLine =~ /(?i)(create|config)/, "sc_exe_service_create",
    FileName =~ /(?i)(powershell|pwsh)\.exe/ AND CommandLine =~ /(?i)(New-Service|Set-Service)/, "powershell_new_service",
    true, "other"
  )
| eval SuspiciousPath = if(
    CommandLine =~ /(?i)(\\temp\\|\\appdata\\|\\downloads\\|\\public\\|%temp%|%appdata%)/, 1, 0
  )
| eval LOLBinService = if(
    CommandLine =~ /(?i)(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe)/, 1, 0
  )
| eval UnusualParent = if(
    ParentBaseFileName =~ /(?i)(winword|excel|powerpnt|outlook|wscript|cscript|mshta|rundll32)\.exe/, 1, 0
  )
| eval RiskScore = SuspiciousPath + LOLBinService + UnusualParent
| where DetectionBranch != "other" AND (RiskScore > 0 OR UnusualParent == 1)
| select timestamp, ComputerName, UserName, DetectionBranch, FileName, CommandLine,
         ParentBaseFileName, ParentCommandLine, RiskScore, SuspiciousPath, LOLBinService, UnusualParent

// Branch 2: Registry modifications to Services hive (run as separate saved search)
// #event_simpleName=RegGenericValueUpdate OR #event_simpleName=RegistryKeyCreate
// | RegObjectName = /(?i)SYSTEM\\CurrentControlSet\\Services/
// | RegValueName in~ ("ImagePath", "Start")
// | NOT RegOperationValue in ("services.exe", "svchost.exe", "msiexec.exe",
//                             "TrustedInstaller.exe", "WmiPrvSE.exe", "MsMpEng.exe")
// | eval SuspiciousImagePath = if(
//     RegStringValue =~ /(?i)(\\temp\\|\\appdata\\|\\downloads\\|\\public\\|%temp%|%appdata%|
//                          powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|
//                          rundll32\.exe|regsvr32\.exe|certutil\.exe)/, 1, 0
//   )
// | where SuspiciousImagePath == 1 OR (RegValueName =~ "Start" AND RegStringValue in ("2", "0"))
// | select timestamp, ComputerName, UserName, RegObjectName, RegValueName, RegStringValue, ContextProcessName

| groupBy([ComputerName, UserName, DetectionBranch, CommandLine, ParentBaseFileName], function=(
    count(aid, as=EventCount),
    max(RiskScore, as=MaxRiskScore),
    collect([SuspiciousPath, LOLBinService, UnusualParent])
  ))
| sort(MaxRiskScore, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Insight EDR Falcon Process Telemetry Falcon Registry Telemetry

Required Tables

ProcessRollup2 RegGenericValueUpdate RegistryKeyCreate

False Positives

Automated patching and software lifecycle management tools (Tanium, BigFix, Ivanti) execute sc.exe during service configuration — build suppression rules for known patch management tool hashes and approved service account names
Container orchestration platforms (Docker Desktop for Windows, Kubernetes node services) create system services during startup and updates — exclude known container runtime binary paths from detection scope
Internal IT scripting automation using PowerShell DSC or custom onboarding scripts may invoke New-Service — coordinate with IT teams to identify scheduled maintenance windows and approved scripts for tuning

Last updated: 2026-04-21 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1543 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Create or Modify System Process

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (5)

Same Tactic: Persistence

Popular Detections