Module svc_diff 

Windows service anomaly detector (svc_diff).

Reads service configurations from the SYSTEM hive at SYSTEM\CurrentControlSet\Services and classifies each service entry for forensic anomalies such as suspicious image paths, missing descriptions, or unusual start types.

Maps to MITRE ATT&CK T1543.003 (Create or Modify System Process: Windows Service).

Structs

ServiceEntry

A single service entry extracted from the SYSTEM registry hive.

Functions

classify_service

Classify a service entry for forensic anomalies.

parse

Extract all service entries from a SYSTEM hive.