AN0778: Analytic 0778
Monitor for abnormal creation or modification of Windows services (e.g., via sc.exe, PowerShell, or API calls) that load non-standard executables. Correlate registry changes in service keys with service creation events and process execution to detect service abuse for persistence or execution.
Analyst context for executives and security teams
This analytic matters because Windows service creation and modification can turn a normal administrative mechanism into a persistence or execution path. For leaders, the key question is whether the organization can distinguish expected service management from abnormal services loading non-standard executables before an incident becomes harder to contain.
Executive priority
Prioritize this as a Windows visibility and response-readiness validation item. It supports decisions about SOC telemetry completeness, incident triage quality, and audit evidence for endpoint monitoring controls. The business risk is not the existence of services themselves, but blind spots around who created or changed them, what executable they load, and whether those changes are correlated across registry, process, and service events.
Technical view
Validate monitoring for abnormal Windows service creation or modification, especially activity involving sc.exe, PowerShell, or service-related API activity where the service points to non-standard executables. Detection engineering should correlate service creation events, registry changes under service keys, and subsequent process execution. Because no tactic field or formal detection logic is supplied, teams should treat this as a detection strategy requiring local baselining of legitimate administrative and software deployment behavior.
Likely telemetry
- Windows service creation and modification events
- Windows registry changes for service keys
- Process creation events for sc.exe, PowerShell, and newly launched service executables
- Command-line and parent-child process context where available
- Endpoint telemetry showing executable path, signer, hash, and user or account context
Detection direction
- Baseline normal service creation and modification patterns for administrators, software deployment tools, and endpoint management activity.
- Correlate service registry key changes with service creation events and process execution rather than alerting on a single event in isolation.
- Review services that load executables from unusual or non-standard paths, especially when created by scripting or command-line tools.
- Tune false positives for legitimate software installation, patching, and IT operations while preserving visibility into rare service changes.
- Confirm telemetry coverage on Windows endpoints; this analytic has no supplied coverage for other platforms.
Mitigation priorities
- Ensure Windows endpoints collect service, registry, and process execution telemetry needed for correlation.
- Limit and review privileges that allow service creation or modification, using administrative role governance where applicable.
- Maintain an approved baseline of expected services and executable paths for high-value systems.
- Integrate service-change alerts into incident response playbooks so analysts can quickly validate legitimacy and contain suspicious persistence or execution behavior.
- Use periodic control testing to verify that service abuse scenarios would generate reviewable evidence.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for Windows service creation or modification involving non-standard executables. It references sc.exe, PowerShell, API calls, registry service keys, service creation events, and process execution correlation. No relationship context, aliases, or separate official detection logic were supplied.
This take is limited to the provided STIX fields and external reference. It does not assert active exploitation, actor attribution, guaranteed detection, or applicability beyond Windows. Local baselines, endpoint logging configuration, and administrative workflows are required to determine alert thresholds and materiality.
Analytic 0778
Monitor for abnormal creation or modification of Windows services (e.g., via sc.exe, PowerShell, or API calls) that load non-standard executables. Correlate registry changes in service keys with service creation events and process execution to detect service abuse for persistence or execution.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | da158b38ca33… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0778Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.