SIEM

Service Creation Use Cases

Grouped by Detection Method

MITRE ATT&CK Framework: New Service (T1050), Service Execution (T1035)

• Service creation can be used by an adversary to achieve persistence.

Aggregate Count

Blacklist Alert

Whitelist Alert

• Anomalous Services

Levenshtein Score Alert

Rolling Whitelist Alert

• Newly observed Service File Name, Service Account

Shannon Entropy Score Alert

Threshold Alert

Log Source Examples

• Windows Security Event ID 4697

Possible False Positives

This site is open source. Improve this page.