detection.wiki

Service Control Manager › Event 7045

Event ID 7045 — A service was installed in the system.

Provider
Service Control Manager
Channel
System
Level
Informational
Collection Priority
Recommended (Palantir, others)

Fields #

NameDescription
ServiceName UnicodeStringName of the installed service
ImagePath UnicodeStringFull path to the executable run when the service is started
ServiceType UnicodeString
Known values
1
Kernel Driver
2
File System Driver
4
Adapter
8
Recognizer Driver
16
Own Process
32
Share Process
256
Interactive
StartType UnicodeString
Known values
0
Boot
1
System
2
Automatic
3
Manual
4
Disabled
AccountName UnicodeString

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
    "event_source_name": "Service Control Manager",
    "event_id": 7045,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9259400833873739776,
    "time_created": "2023-11-06T01:01:12.620648+00:00",
    "event_record_id": 2150,
    "correlation": {},
    "execution": {
      "process_id": 780,
      "thread_id": 21724
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
    }
  },
  "event_data": {
    "ServiceName": "TeamViewer",
    "ImagePath": "\"C:\\Program Files\\TeamViewer\\TeamViewer_Service.exe\"",
    "ServiceType": "user mode service",
    "StartType": "auto start",
    "AccountName": "LocalSystem"
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Show 17 more (39 total)

Splunk # view in reference

  • Clop Ransomware Known Service Name source: The following analytic identifies the creation of a service with a known name used by CLOP ransomware for persistence and high-privilege code execution. It detects this activity by monitoring Windows Event Logs (EventCode 7045) for specific service names ("SecurityCenterIBM", "WinCheckDRVs"). This activity is significant because the creation of such services is a common tactic used by ransomware to maintain control over infected systems. If confirmed malicious, this could allow attackers to execute code with elevated privileges, maintain persistence, and potentially disrupt or encrypt critical data.
  • Malicious Powershell Executed As A Service source: The following analytic identifies the execution of malicious PowerShell commands or payloads via the Windows SC.exe utility. It detects this activity by analyzing Windows System logs (EventCode 7045) and filtering for specific PowerShell-related patterns in the ImagePath field. This behavior is significant because it indicates potential abuse of the Windows Service Control Manager to run unauthorized or harmful scripts, which could lead to system compromise. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.
  • Randomly Generated Windows Service Name source: The following analytic detects the installation of a Windows Service with a suspicious, high-entropy name, indicating potential malicious activity. It leverages Event ID 7045 and the `ut_shannon` function from the URL ToolBox Splunk application to identify services with random names. This behavior is significant as adversaries often use randomly named services for lateral movement and remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.
Show 9 more (12 total)
  • Windows Bluetooth Service Installed From Uncommon Location source: Identifies the creation of a Windows service named "BluetoothService" with a binary path in user-writable directories, particularly %AppData%\Bluetooth. This technique was observed in the Lotus Blossom Chrysalis backdoor campaign, where attackers created a service named "BluetoothService" pointing to a malicious binary (renamed Bitdefender Submission Wizard) in a hidden AppData directory. While legitimate Bluetooth services exist in Windows, they are system services with binaries in System32. Any BluetoothService created with a binary path in user directories (AppData, Temp, Downloads) is highly suspicious and indicates potential malware persistence.
  • Windows Driver Load Non-Standard Path source: The following analytic detects the loading of new Kernel Mode Drivers from non-standard paths using Windows EventCode 7045. It identifies drivers not located in typical directories like Windows, Program Files, or SystemRoot. This activity is significant because adversaries may use these non-standard paths to load malicious or vulnerable drivers, potentially bypassing security controls. If confirmed malicious, this could allow attackers to execute code at the kernel level, escalate privileges, or maintain persistence within the environment, posing a severe threat to system integrity and security.
  • Windows KrbRelayUp Service Creation source: The following analytic detects the creation of a service with the default name "KrbSCM" associated with the KrbRelayUp tool. It leverages Windows System Event Logs, specifically EventCode 7045, to identify this activity. This behavior is significant as KrbRelayUp is a known tool used for privilege escalation attacks. If confirmed malicious, this activity could allow an attacker to escalate privileges, potentially gaining unauthorized access to sensitive systems and data.
  • Windows Service Create RemComSvc source: The following analytic detects the creation of the RemComSvc service on a Windows endpoint, typically indicating lateral movement using RemCom.exe. It leverages Windows EventCode 7045 from the System event log, specifically looking for the "RemCom Service" name. This activity is significant as it often signifies unauthorized lateral movement within the network, which is a common tactic used by attackers to spread malware or gain further access. If confirmed malicious, this could lead to unauthorized access to sensitive systems, data exfiltration, or further compromise of the network.
  • Windows Service Create SliverC2 source: The following analytic detects the creation of a Windows service named "Sliver" with the description "Sliver Implant," indicative of SliverC2 lateral movement using the PsExec module. It leverages Windows EventCode 7045 from the System Event log to identify this activity. This behavior is significant as it may indicate an adversary's attempt to establish persistence or execute commands remotely. If confirmed malicious, this activity could allow attackers to maintain control over the compromised system, execute arbitrary code, and further infiltrate the network.
  • Windows Service Created with Suspicious Service Name source: The following analytic detects the creation of a Windows Service with a known suspicious or malicious name using Windows Event ID 7045. It leverages logs from the `wineventlog_system` to identify these services installations. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment.
  • Windows Service Created with Suspicious Service Path source: The following analytic detects the creation of a Windows Service with a binary path located in uncommon directories, using Windows Event ID 7045. It leverages logs from the `wineventlog_system` to identify services installed outside typical system directories. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment.
  • Windows Snake Malware Service Create source: The following analytic detects the creation of a new service named WerFaultSvc with a binary path in the Windows WinSxS directory. It leverages Windows System logs, specifically EventCode 7045, to identify this activity. This behavior is significant because it indicates the presence of Snake malware, which uses this service to maintain persistence by blending in with legitimate Windows services. If confirmed malicious, this activity could allow an attacker to execute Snake malware components, leading to potential data exfiltration, system compromise, and long-term persistence within the environment.
  • Windows Vulnerable Driver Installed source: The following analytic detects the loading of known vulnerable Windows drivers, which may indicate potential persistence or privilege escalation attempts. It leverages Windows System service install EventCode 7045 to identify driver loading events and cross-references them with a list of vulnerable drivers. This activity is significant as attackers often exploit vulnerable drivers to gain elevated privileges or maintain persistence on a system. If confirmed malicious, this could allow attackers to execute arbitrary code with high privileges, leading to further system compromise and potential data exfiltration. This detection is a Windows Event Log adaptation of the Sysmon driver loaded detection written by Michael Haag.

Kusto Query Language # view in reference

References #