LoFP
/
t1574.011
t1574.011
Title
Tags
it is unusual for a service to be created or modified by directly manipulating the registry. however, there may be legitimate instances of this behavior. it is important to validate and investigate, as appropriate.
t1574
t1574.011
endpoint
splunk
legitimate administrative script
t1059
t1059.001
t1098
t1132
t1132.001
t1136
t1136.002
t1553
t1553.004
t1571
t1573
t1574
t1574.011
t1574.012
windows
sigma
likely from legitimate applications reading their key. requires heavy tuning
t1574
t1574.011
windows
sigma
rare fp could occur due to the non linearity of the scriptblocktext log
t1574
t1574.011
windows
sigma
rare intended use of hidden services
t1574
t1574.011
windows
sigma
third party tools may used this technique to create services but not so common.
t1574.011
endpoint
splunk
LoFP
/
t1574.011