hunting-for-unusual-service-installations

Solid

Detect suspicious Windows service installations (MITRE ATT&CK T1543.003) by parsing System event logs for Event ID 7045, analyzing service binary paths, and identifying indicators of persistence mechanisms.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 97/100

Stars 20%

100

Recency 20%

100

Frontmatter 20%

Documentation 15%

Issue Health 10%

License 10%

100

Description 5%

100

Skill Content

# Hunting for Unusual Service Installations ## Overview Attackers frequently install malicious Windows services for persistence and privilege escalation (MITRE ATT&CK T1543.003 — Create or Modify System Process: Windows Service). Event ID 7045 in the System event log records every new service installation. This skill parses .evtx log files to extract service installation events, flags suspicious binary paths (temp directories, PowerShell, cmd.exe, encoded commands), and correlates with known attack patterns. ## When to Use - When investigating security incidents that require hunting for unusual service installations - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Python 3.9+ with `python-evtx`, `lxml` - Windows System event log (.evtx) files - Access to live System event log (optional, for real-time monitoring) - Sysmon logs for enhanced process tracking (optional) ## Steps 1. Parse System.evtx for Event ID 7045 (new service installed) 2. Extract service name, binary path, service type, and account 3. Flag services with suspicious binary paths (temp dirs, encoded commands) 4. Detect PowerShell-based service creation patterns 5. Identify services running as LocalSystem with unusual paths 6. Cross-reference with known legitimate service baselines 7. Generate threat hunting report ...

Details

Author: mukul975
Repository: mukul975/Anthropic-Cybersecurity-Skills
Created: 3 months ago
Last Updated: today
Language: Python
License: Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Solid

hunting-for-anomalous-powershell-execution

Hunt for malicious PowerShell activity by analyzing Script Block Logging (Event 4104), Module Logging (Event 4103), and process creation events. The analyst parses Windows Event Log EVTX files to detect obfuscated commands, AMSI bypass attempts, encoded payloads, credential dumping keywords, and suspicious download cradles. Activates for requests involving PowerShell threat hunting, script block analysis, encoded command detection, or AMSI bypass identification.

12,642 Updated today

mukul975

AI & Automation Listed

hunting-for-anomalous-powershell-execution

6 Updated today

26zl

AI & Automation Featured

hunting-for-persistence-mechanisms-in-windows

Systematically hunt for adversary persistence mechanisms across Windows endpoints including registry, services, startup folders, and WMI subscriptions.

12,642 Updated today

mukul975

AI & Automation Featured

hunting-for-suspicious-scheduled-tasks

Hunt for adversary persistence and execution via Windows scheduled tasks by analyzing task creation events, suspicious task properties, and unusual execution patterns that indicate T1053.005 abuse.

12,642 Updated today

mukul975

AI & Automation Featured

extracting-windows-event-logs-artifacts

Extract, parse, and analyze Windows Event Logs (EVTX) using Chainsaw, Hayabusa, and EvtxECmd to detect lateral movement, persistence, and privilege escalation.

12,642 Updated today

mukul975