Event ID 4697 — A service was installed in the system.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Security System Extension
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

A service was installed in the system.

Message #

A service was installed in the system.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Service Information:
	Service Name: %5
	Service File Name: %6
	Service Type: %7
	Service Start Type: %8
	Service Account: %9

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] Security ID.
`SubjectUserName` UnicodeString	[Subject] Account Name.
`SubjectDomainName` UnicodeString	[Subject] Account Domain.
`SubjectLogonId` HexInt64	[Subject] Logon ID.
`ServiceName` UnicodeString	[Service Information] Service Name.
`ServiceFileName` UnicodeString	[Service Information] Service File Name.
`ServiceType` HexInt32	[Service Information] Service Type. Known values `1` Kernel Driver `2` File System Driver `4` Adapter `8` Recognizer Driver `16` Own Process `32` Share Process `256` Interactive
`ServiceStartType` UInt32	[Service Information] Service Start Type. Known values `0` Boot `1` System `2` Automatic `3` Manual `4` Disabled
`ServiceAccount` UnicodeString	[Service Information] Service Account.
`ClientProcessStartKey` UInt64	—
`ClientProcessId` UInt32	—
`ParentProcessId` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4697,
    "version": 1,
    "level": 0,
    "task": 12289,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2022-04-04T14:08:37.173232+00:00",
    "event_record_id": 34393,
    "correlation": {
      "ActivityID": "7377737E-4825-0000-C974-77732548D801"
    },
    "execution": {
      "process_id": 612,
      "thread_id": 3964
    },
    "channel": "Security",
    "computer": "WIN-TKC15D7KHUR",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "WIN-TKC15D7KHUR$",
    "SubjectDomainName": "WORKGROUP",
    "SubjectLogonId": "0x3e7",
    "ServiceName": "MpKsl6680716f",
    "ServiceFileName": "C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{94297FD4-6E63-4B60-B47B-85D76376014D}\\MpKslDrv.sys",
    "ServiceType": "0x1",
    "ServiceStartType": 3,
    "ServiceAccount": "LocalSystem",
    "ClientProcessStartKey": 1407374883553325,
    "ClientProcessId": 1796,
    "ParentProcessId": 604
  },
  "message": ""
}

Detection Patterns #

Security-Auditing Event ID 4624: An account was successfully logged on.→Event ID 4697: A service was installed in the system.

2 rules

Elastic

Remote Windows Service Installed (source)

Elastic

Service Creation via Local Kerberos Authentication (source)

Elastic

Persistence: Windows Service

Security-Auditing Event ID 4697: A service was installed in the system.ORService-Control-Manager Event ID 7045: A service was installed in the system.

1 rule

Elastic

Suspicious Service was Installed in the System (source)

Elastic

Lateral Movement: Exploitation of Remote Services

Security-Auditing Event ID 4624: An account was successfully logged on.→Event ID 4688: A new process has been created.→Event ID 4697: A service was installed in the system.→Event ID 4698: A scheduled task was created.→Event ID 4699: A scheduled task was deleted.→Event ID 4700: A scheduled task was enabled.→Event ID 4701: A scheduled task was disabled.→Event ID 4702: A scheduled task was updated.→Event ID 5145: A network share object was checked to see whether client can be granted desired access.

1 rule

Kusto Query Language

Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task (source)

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

CobaltStrike Service Installations - Security source high: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
HybridConnectionManager Service Installation source high: Rule to detect the Hybrid Connection Manager service installation.
Invoke-Obfuscation CLIP+ Launcher - Security source high: Detects Obfuscated use of Clip.exe to execute PowerShell

Show 17 more (21 total)

Invoke-Obfuscation Obfuscated IEX Invocation - Security source high: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
Invoke-Obfuscation STDIN+ Launcher - Security source high: Detects Obfuscated use of stdin to execute PowerShell
Invoke-Obfuscation VAR+ Launcher - Security source high: Detects Obfuscated use of Environment Variables to execute PowerShell
Invoke-Obfuscation COMPRESS OBFUSCATION - Security source medium: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation RUNDLL LAUNCHER - Security source medium: Detects Obfuscated Powershell via RUNDLL LAUNCHER
Invoke-Obfuscation Via Stdin - Security source high: Detects Obfuscated Powershell via Stdin in Scripts
Invoke-Obfuscation Via Use Clip - Security source high: Detects Obfuscated Powershell via use Clip.exe in Scripts
Invoke-Obfuscation Via Use MSHTA - Security source high: Detects Obfuscated Powershell via use MSHTA in Scripts
Invoke-Obfuscation Via Use Rundll32 - Security source high: Detects Obfuscated Powershell via use Rundll32 in Scripts
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security source high: Detects Obfuscated Powershell via VAR++ LAUNCHER
Credential Dumping Tools Service Execution - Security source high: Detects well-known credential dumping tools execution via service execution events
Metasploit Or Impacket Service Installation Via SMB PsExec source high: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
Meterpreter or Cobalt Strike Getsystem Service Installation - Security source high: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
Windows Pcap Drivers source medium: Detects Windows Pcap driver installation based on a list of associated .sys files.
PowerShell Scripts Installed as Services - Security source high: Detects powershell script installed as a Service
Remote Access Tool Services Have Been Installed - Security source medium: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
Service Installed By Unusual Client - Security source high: Detects a service installed by a client which has PID 0 or whose parent has PID 0

Elastic # view in reference

Windows Service Installed via an Unusual Client source high: Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4697
Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 4697 — A service was installed in the system.

Description

Message #

Fields #

Example Event #

Detection Patterns #

Elastic

Persistence: Windows Service

Elastic

Lateral Movement: Exploitation of Remote Services

Kusto Query Language

Detection Rules #

Sigma # view in reference

Elastic # view in reference

Related Events #

References #