Unusual Service Hunting

v20260317

hunting-for-unusual-service-installations

Parses Windows System event logs to detect Event ID 7045 service installations, evaluates binary paths for suspicious persistence indicators, and produces MITRE ATT&CK T1543.003 aligned risk reports for threat hunting and investigation.

ThreatHunting Windows EventLogs T1543.003 Persistence Sysmon SecurityAutomation ServiceAnalysis

Get Skill

489 downloads

Overview

Hunting for Unusual Service Installations

Overview

Attackers frequently install malicious Windows services for persistence and privilege escalation (MITRE ATT&CK T1543.003 — Create or Modify System Process: Windows Service). Event ID 7045 in the System event log records every new service installation. This skill parses .evtx log files to extract service installation events, flags suspicious binary paths (temp directories, PowerShell, cmd.exe, encoded commands), and correlates with known attack patterns.

Prerequisites

Python 3.9+ with python-evtx, lxml
Windows System event log (.evtx) files
Access to live System event log (optional, for real-time monitoring)
Sysmon logs for enhanced process tracking (optional)

Steps

Parse System.evtx for Event ID 7045 (new service installed)
Extract service name, binary path, service type, and account
Flag services with suspicious binary paths (temp dirs, encoded commands)
Detect PowerShell-based service creation patterns
Identify services running as LocalSystem with unusual paths
Cross-reference with known legitimate service baselines
Generate threat hunting report with MITRE ATT&CK T1543.003 mapping

Expected Output

JSON report listing all new service installations with risk scores, suspicious indicators, and remediation recommendations
Timeline of service installation events with binary path analysis

Info

Category Uncategorized

Name hunting-for-unusual-service-installations

Version v20260317

Size 9.27KB

Source mukul975/Anthropic-Cybersecurity-Skills

Updated At 2026-03-18