Event ID 7040 — The start type of the msdsm service was changed from boot start to demand start.
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
param3 UnicodeString | — |
param4 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7040,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2023-11-06T01:41:08.983907+00:00",
"event_record_id": 2166,
"correlation": {},
"execution": {
"process_id": 780,
"thread_id": 21180
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {
"param1": "OpenSSH Authentication Agent",
"param2": "disabled",
"param3": "auto start",
"param4": "ssh-agent"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows Event For Service Disabled source: The following analytic detects when a Windows service is modified from a start type to disabled. It leverages system event logs, specifically EventCode 7040, to identify this change. This activity is significant because adversaries often disable security or other critical services to evade detection and maintain control over a compromised host. If confirmed malicious, this action could allow attackers to bypass security defenses, leading to further exploitation and persistence within the environment.
- Windows Excessive Disabled Services Event source: The following analytic identifies an excessive number of system events where services are modified from start to disabled. It leverages Windows Event Logs (EventCode 7040) to detect multiple service state changes on a single host. This activity is significant as it may indicate an adversary attempting to disable security applications or other critical services, potentially leading to defense evasion or destructive actions. If confirmed malicious, this behavior could allow attackers to disable security defenses, disrupt system operations, and achieve their objectives on the compromised system.
- Windows Service Stop Win Updates source: The following analytic detects the disabling of Windows Update services, such as "Update Orchestrator Service for Windows Update," "WaaSMedicSvc," and "Windows Update." It leverages Windows System Event ID 7040 logs to identify changes in service start modes to 'disabled.' This activity is significant as it can indicate an adversary's attempt to evade defenses by preventing critical updates, leaving the system vulnerable to exploits. If confirmed malicious, this could allow attackers to maintain persistence and exploit unpatched vulnerabilities, compromising the integrity and security of the affected host.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc756386(v=ws.10)
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx