Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1527: Analytic 1527

Detects creation or modification of Windows Services through command-line tools (e.g., `sc.exe`, `powershell.exe`), Registry key changes under `HKLM\System\CurrentControlSet\Services`, and service execution under SYSTEM with unsigned or anomalous binary paths. Detects privilege escalation via driver installation or `CreateServiceW` usage. Correlates parent-child lineage, startup behavior, and rare service names.

EnterpriseAN1527AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Analytic 1527 focuses on suspicious Windows service creation or modification. This matters because services often run with high privileges, can start automatically, and may blend into normal administration. For leaders, the practical question is whether the organization can distinguish legitimate service management from risky changes that could affect privilege control, persistence, and incident containment on Windows systems.

Executive priority

Prioritize this as a Windows endpoint and SOC readiness control area. It supports decisions about whether endpoint logging, service-change monitoring, and privileged administration oversight are strong enough to provide incident evidence and reduce business disruption. Because the object has no supplied relationships or tactic mapping, treat it as a detection-validation opportunity rather than proof of a specific campaign or exposure.

Technical view

Validate monitoring for Windows service creation and modification through command-line tools such as sc.exe and powershell.exe, Registry changes under HKLM\System\CurrentControlSet\Services, service execution under SYSTEM, unsigned or unusual service binary paths, driver installation indicators, CreateServiceW usage, parent-child process lineage, startup behavior, and rare service names. Since no official detection logic is provided, SOC and detection engineering teams should translate these behaviors into locally tested analytics using approved administrative baselines and endpoint telemetry.

Likely telemetry

  • Windows process creation events with command line and parent-child lineage
  • Windows Registry telemetry for HKLM\System\CurrentControlSet\Services changes
  • Windows service creation, modification, startup, and execution events
  • Endpoint telemetry showing service binary path, signer status, and execution context
  • Driver installation or service-driver related endpoint events

Detection direction

  • Baseline legitimate service administration by IT tools, deployment systems, and administrators before alerting on rarity alone.
  • Correlate command-line service changes with Registry modifications, service start behavior, SYSTEM execution, and parent process context.
  • Tune for unsigned or anomalous service binary paths, unusual startup configuration, and rare service names while accounting for approved internal software.
  • Review blind spots where endpoints lack command-line capture, Registry auditing, service event collection, binary signing metadata, or EDR API visibility.
  • Use severity based on context: privileged parent process, unexpected host role, unsigned binary, suspicious path, or unapproved driver/service installation should increase priority.

Mitigation priorities

  • Confirm Windows endpoints collect service, process, Registry, and binary-signing telemetry needed for investigation.
  • Restrict and review who can create or modify services, especially on servers and high-value workstations.
  • Maintain approved service baselines for critical systems to support change control and faster triage.
  • Harden administrative workflows so service management is performed through monitored, authorized tooling.
  • Ensure incident response playbooks include service persistence review, driver/service validation, and containment steps for affected Windows hosts.
Analyst notes and limits

This object is a detection analytic for Windows service creation and modification behavior. It provides useful detection intent but no official detection query and no relationship context. Glexia teams should use it to guide validation of endpoint visibility, administrative baselines, and SOC triage logic rather than as a standalone coverage claim.

Tactics are not specified, official detection content is not provided, and no ATT&CK relationships were supplied. The take is limited to the official description, platform, external reference, and object metadata. Local environment baselines are required to separate legitimate administration from suspicious service activity.

Official MITRE ATT&CK definition

Analytic 1527

Detects creation or modification of Windows Services through command-line tools (e.g., `sc.exe`, `powershell.exe`), Registry key changes under `HKLM\System\CurrentControlSet\Services`, and service execution under SYSTEM with unsigned or anomalous binary paths. Detects privilege escalation via driver installation or `CreateServiceW` usage. Correlates parent-child lineage, startup behavior, and rare service names.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
81fe97586140a969...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 81fe97586140…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1527
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use