New Service - veramine/Detections GitHub Wiki
When operating systems boot up, they can start programs or applications called services that perform background system functions. A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry.
Adversaries may install a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry. The service name may be disguised by using a name from a related operating system or benign software with Masquerading. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through Service Execution.
Veramine's detection engine flags every new service that is created. Here is an example of that detection type:
New service detection is a "Low" severity detection because services are created during the installation of new applications and in response to other normal events on an enterprise network. The Veramine rules-based detection engine also includes several other heuristic-based detections related to services that are flagged at "Medium" severity. Here are two further examples:
