Service Control Manager
91 events across 1 channel
Event ID 7000 —
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
Binary | — |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7000,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2023-11-06T00:51:17.873154+00:00",
"event_record_id": 2133,
"correlation": {},
"execution": {
"process_id": 780,
"thread_id": 15664
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "Avira Security",
"param2": "%%1053",
"Binary": "41007600690072006100530065006300750072006900740079000000"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 7001 —
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
param3 UnicodeString | — |
Binary | — |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7001,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-04T08:05:16.553984+00:00",
"event_record_id": 819,
"correlation": {},
"execution": {
"process_id": 604,
"thread_id": 5640
},
"channel": "System",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "Microsoft Defender Antivirus Network Inspection Service",
"param2": "Microsoft Defender Antivirus Network Inspection System Driver",
"param3": "%%1062",
"Binary": "570064004E00690073005300760063000000"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 7002 —
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
__binLength UInt32 | — |
BinaryData Binary | — |
Event ID 7003 —
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
__binLength UInt32 | — |
BinaryData Binary | — |
Event ID 7005 —
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
Event ID 7006 —
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
param3 UnicodeString | — |
Event ID 7007 —
Event ID 7008 —
Event ID 7009 —
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
Binary | — |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7009,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2023-11-06T00:51:17.873154+00:00",
"event_record_id": 2132,
"correlation": {},
"execution": {
"process_id": 780,
"thread_id": 15664
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "30000",
"param2": "Avira Security",
"Binary": "41007600690072006100530065006300750072006900740079000000"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 7010 —
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
Event ID 7011 —
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7011,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2016-08-18T15:43:00.939453Z",
"event_record_id": 5503,
"correlation": {},
"execution": {
"process_id": 476,
"thread_id": 200
},
"channel": "System",
"computer": "IE10Win7",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "30000",
"param2": "ShellHWDetection"
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 7012 —
Event ID 7013 —
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
Event ID 7014 —
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
Event ID 7016 —
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
Event ID 7017 —
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
__binLength UInt32 | — |
BinaryData Binary | — |
Event ID 7018 —
Event ID 7019 —
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
__binLength UInt32 | — |
BinaryData Binary | — |
Event ID 7020 —
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
__binLength UInt32 | — |
BinaryData Binary | — |
Event ID 7021 —
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
Event ID 7022 —
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
Binary | — |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7022,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-03-04T08:47:55.688837+00:00",
"event_record_id": 154,
"correlation": {},
"execution": {
"process_id": 596,
"thread_id": 2804
},
"channel": "System",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "Network Connection Broker",
"Binary": "4E006300620053006500720076006900630065000000"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 7023 —
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
Binary | — |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7023,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T16:53:23.388188+00:00",
"event_record_id": 1227,
"correlation": {},
"execution": {
"process_id": 648,
"thread_id": 940
},
"channel": "System",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "IsmServ",
"param2": "%%58",
"Binary": "490073006D0053006500720076000000"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Windows Service Terminated With Error source low: Detects Windows services that got terminated for whatever reason
- Important Windows Service Terminated With Error source high: Detects important or interesting Windows services that got terminated for whatever reason
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 7024 —
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
Binary | — |
__binLength UInt32 | — |
BinaryData Binary | — |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7024,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2025-12-31T19:34:50.495914+00:00",
"event_record_id": 320,
"correlation": {},
"execution": {
"process_id": 844,
"thread_id": 1716
},
"channel": "System",
"computer": "WIN11-22H2-X64",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "Background Intelligent Transfer Service",
"param2": "%%2147943515",
"Binary": "42004900540053000000"
},
"message": ""
}
Event ID 7026 —
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7026,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2023-11-06T06:25:44.324901+00:00",
"event_record_id": 1704,
"correlation": {},
"execution": {
"process_id": 780,
"thread_id": 784
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "\r\ndam"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 7027 —
Event ID 7028 —
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
Event ID 7029 —
Event ID 7030 —
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7030,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2023-11-05T23:37:12.953025+00:00",
"event_record_id": 2023,
"correlation": {},
"execution": {
"process_id": 780,
"thread_id": 7872
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "Foxit PDF Reader Update Service"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 7031 —
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
param3 UnicodeString | — |
param4 UnicodeString | — |
param5 UnicodeString | — |
Binary | — |
__binLength UInt32 | — |
BinaryData Binary | — |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7031,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-03-13T23:10:29.710970+00:00",
"event_record_id": 12403,
"correlation": {},
"execution": {
"process_id": 928,
"thread_id": 13104
},
"channel": "System",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "Active Directory Federation Services",
"param2": "1",
"param3": "120000",
"param4": "1",
"param5": "Restart the service",
"Binary": "61006400660073007300720076000000"
},
"message": ""
}
Event ID 7032 —
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
param3 UnicodeString | — |
param4 UnicodeString | — |
Event ID 7034 —
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
Binary | — |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7034,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2023-10-25T22:56:14.228587+00:00",
"event_record_id": 1465,
"correlation": {},
"execution": {
"process_id": 800,
"thread_id": 7704
},
"channel": "System",
"computer": "WinDevEval",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "OpenSSH SSH Server",
"param2": "1",
"Binary": "73007300680064000000"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Important Windows Service Terminated Unexpectedly source high: Detects important or interesting Windows services that got terminated unexpectedly.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd349369(v=ws.10)
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 7035 —
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
Event ID 7036 — The Microsoft Software Shadow Copy Provider service entered the stopped state.
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
Binary | — |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7036,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T17:43:20.414968+00:00",
"event_record_id": 1330,
"correlation": {},
"execution": {
"process_id": 648,
"thread_id": 2116
},
"channel": "System",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "Portable Device Enumerator Service",
"param2": "stopped",
"Binary": "57005000440042007500730045006E0075006D002F0031000000"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Windows Defender Threat Detection Service Disabled source medium: Detects when the "Windows Defender Threat Protection" service is disabled.
Splunk # view in reference
- First Time Seen Running Windows Service source: The following analytic detects the first occurrence of a Windows service running in your environment. It leverages Windows system event logs, specifically EventCode 7036, to identify services entering the "running" state. This activity is significant because the appearance of a new or previously unseen service could indicate the installation of unauthorized or malicious software. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, maintain persistence, or escalate privileges within the environment. Monitoring for new services helps in early detection of potential threats.
- Windows Cisco Secure Endpoint Related Service Stopped source: The following analytic detects the suspicious termination of known services commonly targeted by ransomware before file encryption. It leverages Windows System Event Logs (EventCode 7036) to identify when critical services such as Volume Shadow Copy, backup, and antivirus services are stopped. This activity is significant because ransomware often disables these services to avoid errors and ensure successful file encryption. If confirmed malicious, this behavior could lead to widespread data encryption, rendering files inaccessible and potentially causing significant operational disruption and data loss.
- Windows Security And Backup Services Stop source: The following analytic detects the suspicious termination of known services commonly targeted by ransomware before file encryption. It leverages Windows System Event Logs (EventCode 7036) to identify when critical services such as Volume Shadow Copy, backup, and antivirus services are stopped. This activity is significant because ransomware often disables these services to avoid errors and ensure successful file encryption. If confirmed malicious, this behavior could lead to widespread data encryption, rendering files inaccessible and potentially causing significant operational disruption and data loss.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc756308(v=ws.10)
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 7037 —
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
Event ID 7038 —
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
param3 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7038,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-03-13T19:07:40.053438+00:00",
"event_record_id": 10993,
"correlation": {},
"execution": {
"process_id": 864,
"thread_id": 13408
},
"channel": "System",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "wlidsvc",
"param2": "NT AUTHORITY\\SYSTEM",
"param3": "%%1722"
},
"message": ""
}
Event ID 7039 —
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
param3 UnicodeString | — |
Event ID 7040 — The start type of the msdsm service was changed from boot start to demand start.
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
param3 UnicodeString | — |
param4 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7040,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2023-11-06T01:41:08.983907+00:00",
"event_record_id": 2166,
"correlation": {},
"execution": {
"process_id": 780,
"thread_id": 21180
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {
"param1": "OpenSSH Authentication Agent",
"param2": "disabled",
"param3": "auto start",
"param4": "ssh-agent"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows Event For Service Disabled source: The following analytic detects when a Windows service is modified from a start type to disabled. It leverages system event logs, specifically EventCode 7040, to identify this change. This activity is significant because adversaries often disable security or other critical services to evade detection and maintain control over a compromised host. If confirmed malicious, this action could allow attackers to bypass security defenses, leading to further exploitation and persistence within the environment.
- Windows Excessive Disabled Services Event source: The following analytic identifies an excessive number of system events where services are modified from start to disabled. It leverages Windows Event Logs (EventCode 7040) to detect multiple service state changes on a single host. This activity is significant as it may indicate an adversary attempting to disable security applications or other critical services, potentially leading to defense evasion or destructive actions. If confirmed malicious, this behavior could allow attackers to disable security defenses, disrupt system operations, and achieve their objectives on the compromised system.
- Windows Service Stop Win Updates source: The following analytic detects the disabling of Windows Update services, such as "Update Orchestrator Service for Windows Update," "WaaSMedicSvc," and "Windows Update." It leverages Windows System Event ID 7040 logs to identify changes in service start modes to 'disabled.' This activity is significant as it can indicate an adversary's attempt to evade defenses by preventing critical updates, leaving the system vulnerable to exploits. If confirmed malicious, this could allow attackers to maintain persistence and exploit unpatched vulnerabilities, compromising the integrity and security of the affected host.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc756386(v=ws.10)
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 7041 —
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7041,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-03-13T20:17:37.908345+00:00",
"event_record_id": 11763,
"correlation": {},
"execution": {
"process_id": 960,
"thread_id": 9408
},
"channel": "System",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "EvtGenSvc",
"param2": ".\\domainadmin"
},
"message": ""
}
Event ID 7042 —
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
param3 UnicodeString | — |
param4 UnicodeString | — |
param5 UnicodeString | — |
Binary | — |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7042,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-04T12:00:04.609673+00:00",
"event_record_id": 1436,
"correlation": {},
"execution": {
"process_id": 604,
"thread_id": 3184
},
"channel": "System",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"param1": "TCP/IP NetBIOS Helper",
"param2": "stop",
"param3": "0x40030011",
"param4": "Operating System: Network Connectivity (Planned)",
"param5": "None",
"Binary": "6C006D0068006F007300740073000000"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 7043 —
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
Binary | — |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7043,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-04T13:06:45.664309+00:00",
"event_record_id": 1473,
"correlation": {
"ActivityID": "CDD19977-4814-0000-6779-D2CD1448D801"
},
"execution": {
"process_id": 604,
"thread_id": 512
},
"channel": "System",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "Update Orchestrator Service",
"Binary": "550073006F005300760063000000"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 7044 —
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
__binLength UInt32 | — |
BinaryData Binary | — |
Event ID 7045 — A service was installed in the system.
#Fields #
| Name | Description |
|---|---|
ServiceName UnicodeString | Name of the installed service |
ImagePath UnicodeString | Full path to the executable run when the service is started |
ServiceType UnicodeString | — Known values
|
StartType UnicodeString | — Known values
|
AccountName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7045,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2023-11-06T01:01:12.620648+00:00",
"event_record_id": 2150,
"correlation": {},
"execution": {
"process_id": 780,
"thread_id": 21724
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {
"ServiceName": "TeamViewer",
"ImagePath": "\"C:\\Program Files\\TeamViewer\\TeamViewer_Service.exe\"",
"ServiceType": "user mode service",
"StartType": "auto start",
"AccountName": "LocalSystem"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- CobaltStrike Service Installations - System source critical: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
- smbexec.py Service Installation source high: Detects the use of smbexec.py tool by detecting a specific service installation
- Invoke-Obfuscation CLIP+ Launcher - System source high: Detects Obfuscated use of Clip.exe to execute PowerShell
Show 17 more (39 total)
- Invoke-Obfuscation Obfuscated IEX Invocation - System source high: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
- Invoke-Obfuscation STDIN+ Launcher - System source high: Detects Obfuscated use of stdin to execute PowerShell
- Invoke-Obfuscation VAR+ Launcher - System source high: Detects Obfuscated use of Environment Variables to execute PowerShell
- Invoke-Obfuscation COMPRESS OBFUSCATION - System source medium: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
- Invoke-Obfuscation RUNDLL LAUNCHER - System source medium: Detects Obfuscated Powershell via RUNDLL LAUNCHER
- Invoke-Obfuscation Via Stdin - System source high: Detects Obfuscated Powershell via Stdin in Scripts
- Invoke-Obfuscation Via Use Clip - System source high: Detects Obfuscated Powershell via use Clip.exe in Scripts
- Invoke-Obfuscation Via Use MSHTA - System source high: Detects Obfuscated Powershell via use MSHTA in Scripts
- Invoke-Obfuscation Via Use Rundll32 - System source high: Detects Obfuscated Powershell via use Rundll32 in Scripts
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System source high: Detects Obfuscated Powershell via VAR++ LAUNCHER
- KrbRelayUp Service Installation source high: Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)
- Credential Dumping Tools Service Execution - System source high: Detects well-known credential dumping tools execution via service execution events
- Meterpreter or Cobalt Strike Getsystem Service Installation - System source high: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
- Moriya Rootkit - System source critical: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
- PowerShell Scripts Installed as Services source high: Detects powershell script installed as a Service
- Anydesk Remote Access Software Service Installation source medium: Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.
- CSExec Service Installation source medium: Detects CSExec service installation and execution events
Splunk # view in reference
- Clop Ransomware Known Service Name source: The following analytic identifies the creation of a service with a known name used by CLOP ransomware for persistence and high-privilege code execution. It detects this activity by monitoring Windows Event Logs (EventCode 7045) for specific service names ("SecurityCenterIBM", "WinCheckDRVs"). This activity is significant because the creation of such services is a common tactic used by ransomware to maintain control over infected systems. If confirmed malicious, this could allow attackers to execute code with elevated privileges, maintain persistence, and potentially disrupt or encrypt critical data.
- Malicious Powershell Executed As A Service source: The following analytic identifies the execution of malicious PowerShell commands or payloads via the Windows SC.exe utility. It detects this activity by analyzing Windows System logs (EventCode 7045) and filtering for specific PowerShell-related patterns in the ImagePath field. This behavior is significant because it indicates potential abuse of the Windows Service Control Manager to run unauthorized or harmful scripts, which could lead to system compromise. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.
- Randomly Generated Windows Service Name source: The following analytic detects the installation of a Windows Service with a suspicious, high-entropy name, indicating potential malicious activity. It leverages Event ID 7045 and the `ut_shannon` function from the URL ToolBox Splunk application to identify services with random names. This behavior is significant as adversaries often use randomly named services for lateral movement and remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.
Show 9 more (12 total)
- Windows Bluetooth Service Installed From Uncommon Location source: Identifies the creation of a Windows service named "BluetoothService" with a binary path in user-writable directories, particularly %AppData%\Bluetooth. This technique was observed in the Lotus Blossom Chrysalis backdoor campaign, where attackers created a service named "BluetoothService" pointing to a malicious binary (renamed Bitdefender Submission Wizard) in a hidden AppData directory. While legitimate Bluetooth services exist in Windows, they are system services with binaries in System32. Any BluetoothService created with a binary path in user directories (AppData, Temp, Downloads) is highly suspicious and indicates potential malware persistence.
- Windows Driver Load Non-Standard Path source: The following analytic detects the loading of new Kernel Mode Drivers from non-standard paths using Windows EventCode 7045. It identifies drivers not located in typical directories like Windows, Program Files, or SystemRoot. This activity is significant because adversaries may use these non-standard paths to load malicious or vulnerable drivers, potentially bypassing security controls. If confirmed malicious, this could allow attackers to execute code at the kernel level, escalate privileges, or maintain persistence within the environment, posing a severe threat to system integrity and security.
- Windows KrbRelayUp Service Creation source: The following analytic detects the creation of a service with the default name "KrbSCM" associated with the KrbRelayUp tool. It leverages Windows System Event Logs, specifically EventCode 7045, to identify this activity. This behavior is significant as KrbRelayUp is a known tool used for privilege escalation attacks. If confirmed malicious, this activity could allow an attacker to escalate privileges, potentially gaining unauthorized access to sensitive systems and data.
- Windows Service Create RemComSvc source: The following analytic detects the creation of the RemComSvc service on a Windows endpoint, typically indicating lateral movement using RemCom.exe. It leverages Windows EventCode 7045 from the System event log, specifically looking for the "RemCom Service" name. This activity is significant as it often signifies unauthorized lateral movement within the network, which is a common tactic used by attackers to spread malware or gain further access. If confirmed malicious, this could lead to unauthorized access to sensitive systems, data exfiltration, or further compromise of the network.
- Windows Service Create SliverC2 source: The following analytic detects the creation of a Windows service named "Sliver" with the description "Sliver Implant," indicative of SliverC2 lateral movement using the PsExec module. It leverages Windows EventCode 7045 from the System Event log to identify this activity. This behavior is significant as it may indicate an adversary's attempt to establish persistence or execute commands remotely. If confirmed malicious, this activity could allow attackers to maintain control over the compromised system, execute arbitrary code, and further infiltrate the network.
- Windows Service Created with Suspicious Service Name source: The following analytic detects the creation of a Windows Service with a known suspicious or malicious name using Windows Event ID 7045. It leverages logs from the `wineventlog_system` to identify these services installations. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment.
- Windows Service Created with Suspicious Service Path source: The following analytic detects the creation of a Windows Service with a binary path located in uncommon directories, using Windows Event ID 7045. It leverages logs from the `wineventlog_system` to identify services installed outside typical system directories. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment.
- Windows Snake Malware Service Create source: The following analytic detects the creation of a new service named WerFaultSvc with a binary path in the Windows WinSxS directory. It leverages Windows System logs, specifically EventCode 7045, to identify this activity. This behavior is significant because it indicates the presence of Snake malware, which uses this service to maintain persistence by blending in with legitimate Windows services. If confirmed malicious, this activity could allow an attacker to execute Snake malware components, leading to potential data exfiltration, system compromise, and long-term persistence within the environment.
- Windows Vulnerable Driver Installed source: The following analytic detects the loading of known vulnerable Windows drivers, which may indicate potential persistence or privilege escalation attempts. It leverages Windows System service install EventCode 7045 to identify driver loading events and cross-references them with a list of vulnerable drivers. This activity is significant as attackers often exploit vulnerable drivers to gain elevated privileges or maintain persistence on a system. If confirmed malicious, this could allow attackers to execute arbitrary code with high privileges, leading to further system compromise and potential data exfiltration. This detection is a Windows Event Log adaptation of the Sysmon driver loaded detection written by Michael Haag.
Kusto Query Language # view in reference
- Credential Dumping Tools - Service Installation source high: 'This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz.'
References #
- Microsoft Learn https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/troubleshoot-unexpected-reboots-system-event-logs
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/persistence/evtx-7045-service-install.md
Event ID 7046 —
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
Event ID 1073748859 — The param1 service was successfully sent a param2 control.
Event ID 1073748860 — The param1 service entered the param2 state.
Event ID 1073748864 — The start type of the param1 service was changed from param2 to param3.
Event ID 1073748866 — The param1 service was successfully sent a param2 control.
Event ID 1073748869 — A service was installed in the system.
Description
A service was installed in the system.
Message #
Fields #
| Name | Description |
|---|---|
ServiceName UnicodeString | — |
ImagePath UnicodeString | — |
ServiceType UnicodeString | — Known values
|
StartType UnicodeString | — Known values
|
AccountName UnicodeString | — |
Event ID 2147490687 — A service process other than the one launched by the Service Control Manager connected when starting the param1 service.
Description
A service process other than the one launched by the Service Control Manager connected when starting the param1 service. The Service Control Manager launched process param2 and process param3 connected instead.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
param3 UnicodeString | — |
Event ID 2147490692 — The following service is taking more than param2 minutes to start and may have stopped responding: param1 Contact your system administrator or service vend...
Event ID 2147490694 — The following service has repeatedly stopped responding to service control requests: param1 Contact the service vendor or the system administrator abou...
Event ID 2147490695 — The following services failed to start during a run level switch: {Failed Service Names}Please start the services manually and retry the run level ...
Message #
Event ID 3221232472 — The param1 service failed to start due to the following error: param2.
Event ID 3221232473 — The param1 service depends on the param2 service which failed to start because of the following error: param3.
Event ID 3221232474 — The param1 service depends on the param2 group and no member of this group started.
Event ID 3221232475 — The param1 service depends on the following service: param2.
Event ID 3221232477 — The param1 call failed with the following error: param2.
Event ID 3221232478 — The param1 call failed for param2 with the following error: param3.
Event ID 3221232479 — The system reverted to its last known good configuration.
Description
The system reverted to its last known good configuration. The system is restarting....
Message #
Event ID 3221232480 — No backslash is in the account name.
Description
No backslash is in the account name. The account name must be in the form: domain\user.
Message #
Event ID 3221232481 — A timeout was reached (param1 milliseconds) while waiting for the param2 service to connect.
Event ID 3221232482 — A timeout (param1 milliseconds) was reached while waiting for ReadFile.
Event ID 3221232483 — A timeout (param1 milliseconds) was reached while waiting for a transaction response from the param2 service.
Event ID 3221232484 — The message returned in the transaction has incorrect size.
Description
The message returned in the transaction has incorrect size.
Message #
Event ID 3221232485 — Logon attempt with current password failed with the following error.
Event ID 3221232486 — Second logon attempt with old password also failed with the following error.
Event ID 3221232487 — Boot-start or system-start driver ({param1}) must not depend on a service.
Event ID 3221232488 — The param1 service has reported an invalid current state param2.
Event ID 3221232489 — Detected circular dependencies demand starting param1.
Event ID 3221232490 — Detected circular dependencies auto-starting services.
Description
Detected circular dependencies auto-starting services. Check the service dependency tree.
Message #
Event ID 3221232491 — The param1 service depends on a service in a group which starts later.
Event ID 3221232492 — The param1 service depends on a group which starts later.
Event ID 3221232493 — About to revert to the last known good configuration because the param1 service failed to start.
Event ID 3221232494 — The param1 service hung on starting.
Event ID 3221232495 — The param1 service terminated with the following error: param2.
Event ID 3221232496 — The param1 service terminated with the following service-specific error: param2.
Event ID 3221232497 — At least one service or driver failed during system startup.
Description
At least one service or driver failed during system startup. Use Event Viewer to examine the event log for details.
Message #
Event ID 3221232498 — The following boot-start or system-start driver(s) did not load: param1.
Event ID 3221232499 — Windows could not be started as configured.
Description
Windows could not be started as configured. Starting Windows using a previous working configuration.
Message #
Event ID 3221232500 — The param1 Registry key denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key.
Event ID 3221232501 — Service Control Manager
Description
Service Control Manager.
Message #
Event ID 3221232502 — The param1 service is marked as an interactive service.
Event ID 3221232503 — The param1 service terminated unexpectedly.
Description
The param1 service terminated unexpectedly. It has done this param2 time(s). The following corrective action will be taken in param3 milliseconds: param5.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
param3 UnicodeString | — |
param4 UnicodeString | — |
param5 UnicodeString | — |
BinaryData Binary | — |
Event ID 3221232504 — The Service Control Manager tried to take a corrective action (param2) after the unexpected termination of the param3 service, but this action failed with ...
Description
The Service Control Manager tried to take a corrective action (param2) after the unexpected termination of the param3 service, but this action failed with the following error.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
param3 UnicodeString | — |
param4 UnicodeString | — |