Hunting for Unusual Service Installations
Overview
Attackers frequently install malicious Windows services for persistence and privilege escalation (MITRE ATT&CK T1543.003 — Create or Modify System Process: Windows Service). Event ID 7045 in the System event log records every new service installation. This skill parses .evtx log files to extract service installation events, flags suspicious binary paths (temp directories, PowerShell, cmd.exe, encoded commands), and correlates with known attack patterns.
When to Use
- When investigating security incidents that require hunting for unusual service installations
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
Prerequisites
- Python 3.9+ with
python-evtx,lxml - Windows System event log (.evtx) files
- Access to live System event log (optional, for real-time monitoring)
- Sysmon logs for enhanced process tracking (optional)
Steps
- Parse System.evtx for Event ID 7045 (new service installed)
- Extract service name, binary path, service type, and account
- Flag services with suspicious binary paths (temp dirs, encoded commands)
- Detect PowerShell-based service creation patterns
- Identify services running as LocalSystem with unusual paths
- Cross-reference with known legitimate service baselines
- Generate threat hunting report with MITRE ATT&CK T1543.003 mapping
Expected Output
- JSON report listing all new service installations with risk scores, suspicious indicators, and remediation recommendations
- Timeline of service installation events with binary path analysis