Modify Existing Service - veramine/Detections GitHub Wiki
Windows service configuration information, including the file path to the service's executable, is stored in the Registry. Service configurations can be modified using utilities such as sc.exe and Reg.
Adversaries can modify an existing service to persist malware on a system by using system utilities or by using custom tools to interact with the Windows API. Use of existing services is a type of Masquerading that may make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used. You can read more about this attack technique at https://attack.mitre.org/wiki/Technique/T1031.
Veramine's detection engine detects service configuration changes via its deep integration with the Windows Service Control Manager. Here is an example of the service configuration changing:
