7045
Log Name : System
Event ID : 7045
Description : A new Service was installed on the system.
Table of contents
This Event is recorded when a service is installed on the system.
What are Services
Windows services are applications that run in the background without user interaction / does not interact with the desktop (by default) . A service is used to listen/respond to events, perform automated tasks (like windows update). All EDR/MDR agents are installed as service only (most of them).
Service Start Types
| Automatic (Delayed Start) | Automatic | Manual | Disabled |
Benifits of using Services
- A service starts when the system boots up
- Runs with high privileges
- A service runs in the background and very effictive over network as it uses windows native api.
Example of Malicious 7045 events
| Service Name | Service Path | Computer | User |
|---|---|---|---|
| 637c804 | c:\windows\temp\95.bat | Victim-Computer | LocalAccount |
| eaa241f | \\10.100.100.62\ADMIN$\eaa241f.exe | Victim-Computer | System |
| 9df3724 | %COMSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand <base64-encoded-command> | Victim-Computer | User |
| Windows Update | C:\beacon.exe | Victim-Computer | System |