Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / THREAT HUNT / WINDOWS / PERSISTENCE

Service Installer

This note documents detection patterns related to Service Installer Persistence within Windows environments.

Direct Indicators

LogEvent IDMeaningForensic ValueNotes
System7045Service installedCriticalPrimary detection point. Review service name, display name, binary path, start type, service account, and installer account.
System7036Service state changedHighConfirms service start / stop activity after installation.
Security4697Service installedCriticalNative Security log equivalent when auditing enabled; includes subject user context.
Sysmon1Process creationCriticalHunt for sc.exe, powershell.exe, cmd.exe, services.exe, parent chain and command line.
Security4688Process creationHighCommand-line visibility often reveals create, binPath=, start= usage.
Sysmon13Registry value setHighService registration writes under HKLM\SYSTEM\CurrentControlSet\Services.
Sysmon12Registry key create/deleteHighNew service key creation visible here.
Sysmon11File createHighService binary often dropped immediately before install.
PowerShell4104Script block loggingCriticalCaptures New-Service, WMI service creation, CIM methods.
Sysmon7Image loadedMediumUseful when malicious DLL service loaders execute.

Indirect Indicators

IndicatorWhat To Look ForForensic ValueNotes
Service name mimicry"Windows Update Helper", "Defender Core", "Network Telemetry"CriticalCommon stealth tactic.
Unsigned binaryUnsigned or unknown publisherCriticalStrong malicious signal.
Binary path in writable directoryAppData, Temp, Public, ProgramDataCriticalVery strong persistence signal.
Service starts immediately after creationRapid 7045 → 7036 sequenceHighCommon attacker pattern.
Service account anomalyRuns under LocalSystem unexpectedlyHighElevates persistence impact.
Existing service modifiedLegitimate binary path changedCriticalCommon stealthier attacker method.
DLL service abusesvchost-hosted custom service DLLHighRequires registry ServiceDLL review.
Remote service creationService installed from another hostHighStrong lateral movement indicator (PsExec / SCM abuse).
Service binary deleted later7045 present but binary missingHighCleanup / ephemeral payload clue.
Beacon follows service startOutbound network immediately after 7036HighCorrelate with Sysmon 3 / EDR net telemetry.

Common Tools

ToolUsage
sc.exeNative service creation (create, config, delete)
PowerShellNew-Service, CIM/WMI service creation
PsExecRemote service deployment via SCM
Cobalt StrikeService persistence / remote exec
SharpPersistService persistence module
EmpireService persistence
Impacket psexec.pyRemote service-based execution
Custom SCM API toolingDirect CreateServiceW abuse

Relevant Artifacts

  • System log: 7045, 7036
  • Security log: 4697
  • Registry: HKLM\SYSTEM\CurrentControlSet\Services\
  • Service binary path on disk
  • Service DLL: Parameters\ServiceDLL (for DLL-backed services)
  • Sysmon: 1, 11, 12, 13
  • Security 4688 with command line enabled
  • PowerShell logs: 4103 / 4104
  • Prefetch: SC.EXE, POWERSHELL.EXE, CMD.EXE, PSEXESVC.EXE
  • Amcache / ShimCache
  • MFT / USN Journal for binary drop and registry-linked timing
  • SRUM if service payload initiates network communication
  • EDR process trees: services.exe → child process lineage

MITRE ATT&CK References

  • T1543.003 Windows Service
  • T1543 Create or Modify System Process
  • T1569.002 Service Execution

Decision Tree

  1. Was a service installed?

    • Check 7045 / 4697

  2. What created it?

    • Pivot to 4688 / Sysmon 1
    • Identify:
      • sc.exe
      • powershell.exe
      • remote SCM source

  3. Binary analysis

    • Path
    • Signature
    • Hash
    • Writable directory?

  4. Service type

    • Own process
    • Shared process
    • DLL-backed

  5. Pivot:

    • Did it start immediately?
    • Child process spawned?
    • Network beacon?

  6. Scope:

    • Single host?
    • Remote lateral deployment?
    • Legitimate software install?

Example Detection Templates

KQL

System
| where EventID == 7045
| project TimeGenerated, Computer, EventData
| order by TimeGenerated desc

SecurityEvent
| where EventID == 4697
| project TimeGenerated, Computer, Account, EventData

Sysmon
| where EventID == 1
| where CommandLine has_any ("sc create", "New-Service")
| project TimeGenerated, Computer, User, Image, CommandLine, ParentImage

Sysmon
| where EventID == 13
| where TargetObject has @"\Services\"

EQL

process where process.command_line like "*sc create*" or process.command_line like "*New-Service*"

sequence by host.name with maxspan=5m
  [ process where process.command_line like "*sc create*" ]
  [ any where event.code == "7045" ]

Sigma

title: Suspicious Service Installation
id: 5f91b3de-service-installer
status: experimental
description: Detects Windows service installation often associated with persistence or lateral movement
references:
  - https://attack.mitre.org/techniques/T1543/003/
author: Vergil
date: 2026-03-07
logsource:
  product: windows
  service: system
detection:
  selection:
    EventID: 7045
  condition: selection
fields:
  - ServiceName
  - ImagePath
  - AccountName
falsepositives:
  - Legitimate software installation
  - Patch deployment systems
  - Enterprise management tools
level: high
tags:
  - attack.persistence
  - attack.t1543.003

Mitigation & Hardening

Control AreaMitigationEffectivenessNotes
Service install monitoringAlert on 7045 / 4697CriticalCore detection coverage
Baseline legitimate servicesMaintain known-good inventoryCriticalPrevent false positives
Restrict SCM rightsLimit who can create servicesHighReduces abuse surface
Binary signature validationAlert on unsigned service binariesHighStrong detection enhancer
Service DLL reviewInspect ServiceDLL regularlyHighDetect DLL-backed stealth services
EDR service lineageMonitor services.exe child activityCriticalHigh-confidence malicious service detection