Managed Sentinel – Alert 070

Alert IDMS-A070
Alert NameA new service was installed and started on a critical Windows server
DescriptionThis alerts is triggered whenever a new services is installed on one of the critical Windows servers.

Customer to provide a list of critical server which will be monitored by this query.
Severity LevelMedium
Threat IndicatorElevation of Privilege
MITRE ATT&CK TacticsInitial Access
Defense Evasion
Lateral Movement
Command and Control
Log sourcesWindows Information Event Logs
False PositivesScripts and administrative tools used in the monitored environment
RecommendationsEngage the server owner (or Operations Team) to validate if service installation can be validated. If not, perform a full scan of the server and collect evidence of last user login, change initiator hostname and IP address.