T1543.003 Windows Service Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousServicePaths = dynamic([
  "\\Temp\\", "\\tmp\\", "\\AppData\\", "\\Users\\Public\\",
  "\\ProgramData\\", "\\Downloads\\", "\\Desktop\\",
  "%temp%", "%tmp%", "%appdata%", "%userprofile%",
  "C:\\Windows\\Temp\\", "C:\\Temp\\"
]);
let SuspiciousExtensions = dynamic([".bat", ".vbs", ".ps1", ".cmd", ".js"]);
let KnownAdminTools = dynamic(["MSSQLSERVER", "SQLSERVERAGENT", "RemoteRegistry", "W3SVC"]);
// Detection 1: New service installation via Event ID 7045 (System log)
let NewServiceInstall = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4697
| extend ServiceName = tostring(EventData.ServiceName)
| extend ServiceFilePath = tostring(EventData.ServiceFileName)
| extend ServiceType = tostring(EventData.ServiceType)
| extend ServiceStartType = tostring(EventData.ServiceStartType)
| extend ServiceAccount = tostring(EventData.ServiceAccount)
| where ServiceFilePath has_any (SuspiciousServicePaths)
  or ServiceFilePath matches regex @"(?i)\.(bat|vbs|ps1|cmd|js)\s*$"
  or ServiceFilePath has "cmd /c"
  or ServiceFilePath has "powershell"
  or ServiceFilePath has "\\\\" // UNC network path
| extend DetectionReason = case(
    ServiceFilePath has_any (SuspiciousServicePaths), "Service binary in suspicious path",
    ServiceFilePath has "cmd /c", "Service binary uses cmd interpreter",
    ServiceFilePath has "powershell", "Service binary uses PowerShell",
    ServiceFilePath has "\\\\\\\\", "Service binary on network share",
    "Suspicious extension in service path"
  )
| project TimeGenerated, Computer, SubjectUserName, SubjectDomainName, ServiceName, ServiceFilePath, ServiceType, ServiceStartType, ServiceAccount, DetectionReason;
// Detection 2: sc.exe service creation or modification
let ScExeServiceCreation = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "sc.exe"
| where ProcessCommandLine has_any ("create ", "config ", "sdset ", "failure ")
| extend IsCreate = ProcessCommandLine has "create "
| extend IsConfig = ProcessCommandLine has "config "
| extend IsSdset = ProcessCommandLine has "sdset " // Hidden service SDDL
| extend IsFailure = ProcessCommandLine has "failure " // Persistence via recovery commands
| extend HasBinPath = ProcessCommandLine has "binpath="
| extend BinPathValue = extract(@"(?i)binpath=\s*([\"']?[^\"']+[\"']?)", 1, ProcessCommandLine)
| extend IsSuspiciousPath = BinPathValue has_any (SuspiciousServicePaths)
  or BinPathValue has "cmd /c"
  or BinPathValue has "powershell"
  or BinPathValue has "\\\\\\\\"
| where IsCreate or IsConfig or IsSdset or IsFailure
| extend DetectionReason = case(
    IsSdset, "sc sdset used to potentially hide service from enumeration",
    IsFailure and (ProcessCommandLine has "command=" or ProcessCommandLine has "run="), "Service failure recovery command set — possible persistence",
    IsSuspiciousPath, "Service binary path in suspicious location",
    IsCreate and HasBinPath, "New service creation with explicit binary path",
    IsConfig, "Existing service configuration modified",
    "sc.exe service manipulation"
  )
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName,
  InitiatingProcessCommandLine, IsCreate, IsConfig, IsSdset, BinPathValue, DetectionReason;
// Detection 3: Registry-based service creation (bypassing sc.exe)
let RegistryServiceCreate = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey matches regex @"(?i)HKEY_LOCAL_MACHINE\\SYSTEM\\(CurrentControlSet|ControlSet001|ControlSet002)\\Services\\"
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryValueName in~ ("ImagePath", "ServiceDLL", "Start", "Type", "ObjectName")
| extend ServiceName = extract(@"(?i)Services\\([^\\]+)", 1, RegistryKey)
| extend NewValue = tostring(RegistryValueData)
| extend IsImagePath = RegistryValueName =~ "ImagePath"
| extend IsServiceDLL = RegistryValueName =~ "ServiceDLL"
| extend IsSuspiciousValue = NewValue has_any (SuspiciousServicePaths)
  or NewValue has "cmd /c"
  or NewValue has "powershell"
| where not (InitiatingProcessFileName in~ ("services.exe", "msiexec.exe", "TrustedInstaller.exe", "svchost.exe"))
  and (IsImagePath or IsServiceDLL or IsSuspiciousValue)
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, NewValue,
  ServiceName, InitiatingProcessFileName, InitiatingProcessCommandLine, IsSuspiciousValue;
union NewServiceInstall, ScExeServiceCreation, RegistryServiceCreate
| sort by TimeGenerated desc, Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Windows Registry: Windows Registry Key Modification Windows Registry: Windows Registry Key Creation Service: Service Creation Service: Service Modification Microsoft Defender for Endpoint Microsoft Sentinel — Windows Security Events

Required Tables

SecurityEvent DeviceProcessEvents DeviceRegistryEvents

False Positives

Software installers legitimately creating new services during application installation (MSI packages, third-party software)
System administrators manually creating or reconfiguring services for maintenance or troubleshooting using sc.exe
Configuration management tools (SCCM, Chef, Puppet, Ansible) modifying service configurations as part of desired state enforcement
Endpoint security products and monitoring agents installing their own services during deployment
Windows Update and TrustedInstaller modifying existing service ImagePath values during OS updates

Splunk

spl

| union
[
  search index=wineventlog (sourcetype="WinEventLog:System" EventCode=7045)
  | eval ServiceName=ServiceName, ServiceFileName=ServiceFileName, ServiceType=ServiceType, ServiceStartType=StartType, ServiceAccount=AccountName
  | eval SuspiciousPath=if(
      match(lower(ServiceFileName), "\\\\temp\\\\|\\\\tmp\\\\|\\\\appdata\\\\|\\\\users\\\\public\\\\|\\\\programdata\\\\|\\\\downloads\\\\|\\\\desktop\\\\|c:\\\\temp\\\\"),
      1, 0)
  | eval InterpreterService=if(
      match(lower(ServiceFileName), "cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|\.bat\b|\.vbs\b|\.ps1\b"),
      1, 0)
  | eval NetworkPath=if(match(ServiceFileName, "^\\\\\\\\"), 1, 0)
  | eval SuspicionScore=SuspiciousPath + InterpreterService + NetworkPath
  | where SuspicionScore > 0
  | eval DetectionVector="Event 7045 New Service Install"
  | table _time, host, ServiceName, ServiceFileName, ServiceType, ServiceStartType, ServiceAccount, SuspiciousPath, InterpreterService, NetworkPath, SuspicionScore, DetectionVector
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\sc.exe")
    (CommandLine="* create *" OR CommandLine="* config *" OR CommandLine="* sdset *" OR CommandLine="* failure *")
  | eval IsCreate=if(match(CommandLine, "(?i)\\bsc(\.exe)?\s+create\s"), 1, 0)
  | eval IsConfig=if(match(CommandLine, "(?i)\\bsc(\.exe)?\s+config\s"), 1, 0)
  | eval IsSdset=if(match(CommandLine, "(?i)\\bsc(\.exe)?\s+sdset\s"), 1, 0)
  | eval IsFailure=if(match(CommandLine, "(?i)\\bsc(\.exe)?\s+failure\s"), 1, 0)
  | rex field=CommandLine "(?i)binpath=\s*(?P<BinPathValue>[^\s]+)"
  | eval SuspiciousPath=if(
      match(lower(BinPathValue), "\\\\temp\\\\|\\\\tmp\\\\|\\\\appdata\\\\|\\\\users\\\\public\\\\|\\\\programdata\\\\|c:\\\\temp\\\\"),
      1, 0)
  | eval InterpreterInPath=if(
      match(lower(BinPathValue), "cmd\.exe|powershell\.exe|mshta\.exe|\.bat\b|\.vbs\b|\.ps1\b"),
      1, 0)
  | eval HiddenService=IsSdset
  | eval SuspicionScore=SuspiciousPath + InterpreterInPath + HiddenService + IsFailure
  | eval DetectionVector="Sysmon sc.exe Service Manipulation"
  | table _time, host, User, CommandLine, ParentImage, BinPathValue, IsCreate, IsConfig, IsSdset, IsFailure, SuspiciousPath, InterpreterInPath, SuspicionScore, DetectionVector
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=12 OR EventCode=13 OR EventCode=14)
    TargetObject="*\\SYSTEM\\*ControlSet*\\Services\\*"
    (TargetObject="*\\ImagePath" OR TargetObject="*\\ServiceDLL" OR TargetObject="*\\Start")
    NOT (Image="*\\services.exe" OR Image="*\\msiexec.exe" OR Image="*\\TrustedInstaller.exe" OR Image="*\\svchost.exe")
  | eval IsImagePath=if(match(TargetObject, "(?i)ImagePath$"), 1, 0)
  | eval IsServiceDLL=if(match(TargetObject, "(?i)ServiceDLL$"), 1, 0)
  | rex field=TargetObject "(?i)Services\\\\(?P<ServiceName>[^\\\\]+)"
  | eval SuspiciousValue=if(
      match(lower(Details), "\\\\temp\\\\|\\\\appdata\\\\|\\\\users\\\\public\\\\|cmd\.exe|powershell\.exe|\.bat\b|\.ps1\b"),
      1, 0)
  | eval SuspicionScore=IsImagePath + IsServiceDLL + SuspiciousValue
  | eval DetectionVector="Sysmon Registry Service Key Modification"
  | table _time, host, User, Image, CommandLine, TargetObject, ServiceName, Details, IsImagePath, IsServiceDLL, SuspiciousValue, SuspicionScore, DetectionVector
]
| sort - _time
| where SuspicionScore > 0

high severity high confidence

Data Sources

Service: Service Creation Process: Process Creation Windows Registry: Windows Registry Key Modification Sysmon Event ID 1 Sysmon Event ID 12 Sysmon Event ID 13 Windows System Event ID 7045

Required Sourcetypes

WinEventLog:System XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Software installation packages (MSI, NSIS, Inno Setup) creating services in ProgramData or non-standard locations during install
IT automation frameworks (Ansible, Chef, Puppet, SCCM) reconfiguring service ImagePath values as part of configuration enforcement
Security tools and EDR agents creating their own services during deployment
Developers and system administrators testing service configurations in non-standard paths
Backup and monitoring software that installs driver-based services pointing to legitimate sys files in vendor directories

Elastic Security (EQL)

eql

any where
  (event.category == "process" and event.type == "start" and
   process.name : ("sc.exe","New-Service*") and
   process.args : ("create","config") and
   (process.args : ("*\\Temp\\*","*\\AppData\\*","*\\Users\\Public\\*","*\\ProgramData\\*") or
    process.args : ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe"))) or
  (event.category == "registry" and
   registry.path : "HKLM\\SYSTEM\\CurrentControlSet\\Services\\*" and
   registry.value : "ImagePath" and
   (registry.data.strings : ("*\\Temp\\*","*cmd.exe*","*powershell.exe*","*\\AppData\\*",
                               "*\\ProgramData\\*","*\\Users\\Public\\*")))

high severity high confidence

Data Sources

Windows Process Events Windows Registry Events

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.registry-*

False Positives

Software installers legitimately creating new services during application installation (MSI packages, third-party software)
System administrators manually creating or reconfiguring services for maintenance or troubleshooting using sc.exe
Configuration management tools (SCCM, Chef, Puppet, Ansible) modifying service configurations as part of desired state enforcement
Endpoint security products and monitoring agents installing their own services during deployment
Windows Update and TrustedInstaller modifying existing service ImagePath values during OS updates

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource, username as User,
  "Image" as ProcessImage, "CommandLine" as CommandLine,
  CASE WHEN "CommandLine" ILIKE '%\Temp\%' OR "CommandLine" ILIKE '%\AppData\%' THEN 10
       WHEN "CommandLine" ILIKE '%cmd.exe%' OR "CommandLine" ILIKE '%powershell.exe%' THEN 9
       WHEN eventid = 7045 THEN 8
       ELSE 5 END as RiskScore
FROM events
WHERE (
  (eventid = 7045 AND (
    "ServiceFileName" ILIKE '%\Temp\%' OR "ServiceFileName" ILIKE '%\AppData\%' OR
    "ServiceFileName" ILIKE '%\Users\Public\%' OR "ServiceFileName" ILIKE '%\ProgramData\%' OR
    "ServiceFileName" ILIKE '%cmd.exe%' OR "ServiceFileName" ILIKE '%powershell.exe%'))
  OR (eventid = 4688 AND "Image" ILIKE '%sc.exe%' AND
      ("CommandLine" ILIKE '%create%' OR "CommandLine" ILIKE '%config%') AND
      ("CommandLine" ILIKE '%\Temp\%' OR "CommandLine" ILIKE '%cmd.exe%' OR
       "CommandLine" ILIKE '%powershell.exe%' OR "CommandLine" ILIKE '%\AppData\%'))
)
ORDER BY EventTime DESC

high severity high confidence

Data Sources

Windows Security Event Log Windows System Event Log

Required Tables

events

False Positives

Software installers legitimately creating new services during application installation (MSI packages, third-party software)
System administrators manually creating or reconfiguring services for maintenance or troubleshooting using sc.exe
Configuration management tools (SCCM, Chef, Puppet, Ansible) modifying service configurations as part of desired state enforcement
Endpoint security products and monitoring agents installing their own services during deployment
Windows Update and TrustedInstaller modifying existing service ImagePath values during OS updates

Sumo Logic CSE

sql

_sourceCategory=windows/security OR _sourceCategory=windows/sysmon
| json auto
| where EventID in ("7045","4688","1")
| eval CmdLower = toLower(coalesce(CommandLine, ServiceFileName, ""))
| eval is_service_create = if(EventID == "7045" AND (
    CmdLower matches "(\\temp\\|\\appdata\\|\\users\\public\\|\\programdata\\|cmd\.exe|powershell\.exe)", 1, 0)
| eval is_sc_create = if(EventID in ("4688","1") AND (
    toLower(coalesce(Image,"")) matches ".*sc\.exe$") AND
    CmdLower matches "(create|config)" AND
    CmdLower matches "(\\temp\\|\\appdata\\|cmd\.exe|powershell\.exe)", 1, 0)
| where is_service_create == 1 OR is_sc_create == 1
| table _time, Computer, User, Image, CommandLine, ServiceFileName, ParentImage
| sort by _time desc

high severity high confidence

Data Sources

Windows Security Events via Sumo Logic Windows Sysmon via Sumo Logic

Required Tables

windows/security windows/sysmon

False Positives

Software installers legitimately creating new services during application installation (MSI packages, third-party software)
System administrators manually creating or reconfiguring services for maintenance or troubleshooting using sc.exe
Configuration management tools (SCCM, Chef, Puppet, Ansible) modifying service configurations as part of desired state enforcement
Endpoint security products and monitoring agents installing their own services during deployment
Windows Update and TrustedInstaller modifying existing service ImagePath values during OS updates

Google Chronicle / SecOps

yaral

rule windows_service_persistence {
  meta:
    author = "Detection Engineering"
    description = "Detects Windows service creation with suspicious binary paths (T1543.003)"
    severity = "HIGH"
    tactic = "TA0003"

  events:
    $e.metadata.event_type = "SERVICE_CREATION"
    (
      re.regex($e.target.registry.registry_value_data, `(?i)(\\Temp\\|\\AppData\\|\\ProgramData\\|\\Users\\Public\\|cmd\.exe|powershell\.exe)`) nocase or
      re.regex($e.target.process.command_line, `(?i)(\\Temp\\|\\AppData\\|cmd\.exe|powershell\.exe)`) nocase
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Windows Service Events via Chronicle UDM

Required Tables

SERVICE_CREATION

False Positives

Software installers legitimately creating new services during application installation (MSI packages, third-party software)
System administrators manually creating or reconfiguring services for maintenance or troubleshooting using sc.exe
Configuration management tools (SCCM, Chef, Puppet, Ansible) modifying service configurations as part of desired state enforcement
Endpoint security products and monitoring agents installing their own services during deployment
Windows Update and TrustedInstaller modifying existing service ImagePath values during OS updates

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ServiceInstalled"
| (ServiceImagePath = /(\Temp\|\AppData\|\Users\Public\|\ProgramData\)/i
   OR ServiceImagePath = /(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe)/i
   OR ServiceImagePath = /\.(bat|vbs|ps1|cmd|scr)$/i)
| eval risk = case {
    ServiceImagePath = /(cmd\.exe|powershell\.exe|pwsh\.exe)/i : "critical";
    ServiceImagePath = /(\Temp\|\AppData\)/i : "high";
    * : "medium"
  }
| table timestamp, ComputerName, UserName, ServiceDisplayName, ServiceImagePath, ServiceType, risk
| sort by timestamp desc

high severity high confidence

Data Sources

CrowdStrike Falcon Service Events

Required Tables

ServiceInstalled

False Positives

Software installers legitimately creating new services during application installation (MSI packages, third-party software)
System administrators manually creating or reconfiguring services for maintenance or troubleshooting using sc.exe
Configuration management tools (SCCM, Chef, Puppet, Ansible) modifying service configurations as part of desired state enforcement
Endpoint security products and monitoring agents installing their own services during deployment
Windows Update and TrustedInstaller modifying existing service ImagePath values during OS updates

Windows Service

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections