This detection rule identifies processes that modify the Windows services registry key outside the standard Windows API, which could signify an adversary's attempt at stealthy persistence through abnormal service creation or modification. It utilizes a thorough EQL query to monitor recent changes to specific registry paths and values tied to services. The rule is set to examine relevant event logs across multiple platforms, such as Windows and Microsoft 365 Defender, and works by filtering out legitimate modifications to focus on potentially malicious activity. An integral part of the analysis includes investigating the execution context of processes making these changes, allowing defenders to discern between normal system operations and potential threats. This rule also includes detailed triage and response guidelines, highlighting necessary investigation steps and providing insights into false positives that can arise from legitimate software interactions with service registry keys.