Services | SOC Hunt Feed

Hunt Hypothesis

The hypothesis is that an adversary may be leveraging registry-based service configurations to persistently execute malicious payloads across system reboots. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify potential persistence mechanisms and mitigate long-term compromise risks.

KQL Query

DeviceRegistryEvents  
| where RegistryKey has @"SYSTEM\CurrentControlSet\Services"
| extend ServiceName=tostring(split(RegistryKey, @"\")[4])
| project Timestamp, DeviceName, ServiceName, ActionType, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, InitiatingProcessMD5, InitiatingProcessParentFileName
| top 100 by Timestamp desc

Analytic Rule Definition

id: dd76f1c0-edc9-45cb-aeae-f5142caf583c
name: Services
description: |
  Gets the service name from the registry key.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceRegistryEvents
query: |
  DeviceRegistryEvents  
  | where RegistryKey has @"SYSTEM\CurrentControlSet\Services"
  | extend ServiceName=tostring(split(RegistryKey, @"\")[4])
  | project Timestamp, DeviceName, ServiceName, ActionType, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, InitiatingProcessMD5, InitiatingProcessParentFileName
  | top 100 by Timestamp desc

Required Data Sources

Sentinel Table	Notes
`DeviceRegistryEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/General queries/Services.yaml)

False Positive Guidance

Scenario: A system administrator is using PowerShell to manage services via Get-Service or Stop-Service commands during routine maintenance.
Filter/Exclusion: Exclude processes where the command line contains Get-Service, Stop-Service, or Start-Service.
Scenario: A scheduled job (e.g., using Task Scheduler) is configured to start or stop a service as part of a maintenance task.
Filter/Exclusion: Exclude events where the service name matches known scheduled job service names (e.g., Schedule or TaskScheduler).
Scenario: A backup tool (e.g., Veeam Backup & Replication) temporarily stops or starts a service during a backup operation.
Filter/Exclusion: Exclude service names associated with backup tools (e.g., VeeamBackup, VeeamServices).
Scenario: An IT admin is using Group Policy Management Console (GPMC) to configure service startup settings.
Filter/Exclusion: Exclude service names that are commonly managed via GPMC (e.g., BITS, LanmanWorkstation, RpcSs).
Scenario: A software update tool (e.g., Microsoft Update, WSUS) modifies service configurations during an update process.
Filter/Exclusion: Exclude service names related to update services (e.g., wuauserv, wuauserv, cryptsvc).