A new service was installed and started on a critical Windows server
This alerts is triggered whenever a new services is installed on one of the critical Windows servers.
Customer to provide a list of critical server which will be monitored by this query.
Elevation of Privilege
MITRE ATT&CK Tactics
Command and Control
Windows Information Event Logs
Scripts and administrative tools used in the monitored environment
Engage the server owner (or Operations Team) to validate if service installation can be validated. If not, perform a full scan of the server and collect evidence of last user login, change initiator hostname and IP address.