This note documents detection patterns related to Service Attacks / Privilege Escalation via Services within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4697 | Service installed | Critical | Native audit for new service creation. |
| System | 7045 | Service installed | Critical | Highest-value Windows service creation event. |
| Security | 4688 | Process creation | Critical | Detects sc.exe, net start, PowerShell service abuse, binary replacement. |
| Sysmon | 1 | Process creation | Critical | Best execution source for service manipulation commands. |
| Sysmon | 11 | File create | Critical | Service binary replacement or malicious payload drop. |
| Sysmon | 13 | Registry value set | Critical | Service registry path changes under Services key. |
| Sysmon | 12 | Registry object create/delete | High | Detects service key creation or deletion. |
| Security | 4670 | Permissions changed | High | ACL abuse on service binary or service registry key. |
| System | 7036 | Service state changed | High | Detect start / stop used to trigger payload. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Unquoted service path | Spaces in service path without quotes | Critical | Classic privilege escalation primitive. |
| Writable service binary path | User can replace SYSTEM binary | Critical | Strong escalation vector. |
| Service starts shell | services.exe -> cmd.exe / powershell.exe | Critical | Very strong malicious signal. |
| Service binary changed shortly before restart | File replacement timeline | Critical | Common privesc chain. |
| Registry ImagePath modified | Service redirected to attacker payload | Critical | Direct abuse indicator. |
| Service account changed | Privileged service context altered | High | Persistence or escalation. |
| Rare service name appears | Random or deceptive naming | High | Common attacker behavior. |
Common Tools
| Tool | Usage |
|---|---|
| sc.exe | Create / modify / start service |
| PowerShell | New-Service / Set-Service abuse |
| accesschk.exe | Find weak service ACLs |
| icacls.exe | Modify service binary permissions |
| reg.exe | Modify service ImagePath |
| net.exe | Start / stop service |
| PsExec | Service-based remote execution |
| custom payload | SYSTEM execution via service |
Relevant Artifacts
- System Event ID 7045
- Security Event ID 4697
- Security Event ID 4688
- Sysmon Event IDs 1, 11, 12, 13
- System Event ID 7036
- Registry:
HKLM\SYSTEM\CurrentControlSet\Services\ - Prefetch:
SC.EXE,NET.EXE - Amcache for service payload
- ShimCache for binary execution
- MFT / USN Journal for binary replacement
- EDR process tree from
services.exe
MITRE ATT&CK References
- T1543.003 Windows Service
- T1574 Unquoted Path / Execution Flow Hijack
- T1222 File and Directory Permissions Modification
- T1548 Abuse Elevation Control Mechanism
Decision Tree
-
Was new service created?
- Check 7045 / 4697
- Review service name
-
Was existing service modified?
- Registry path
- ACL changes
-
Was binary replaced?
- File timestamps
- Hash drift
-
Did service spawn suspicious child?
- cmd.exe
- powershell.exe
- rundll32.exe
-
Expand:
- User context
- Adjacent persistence
- Lateral movement
-
Scope:
- Single host
- Shared service abuse
- Enterprise deployment
Example Detection Templates
KQL
Event
| where EventID in (7045,4697)
| project TimeGenerated, Computer, EventID, ServiceName, ImagePath
Sysmon
| where EventID == 1
| where CommandLine has_any ("sc.exe","New-Service","Set-Service")
| project TimeGenerated, Computer, User, CommandLine
EQL
process where process.name == "sc.exe"
sequence by host.name with maxspan=5m
[ process where process.name == "sc.exe" ]
[ registry where registry.path like "*\\Services\\*" ]
Sigma
title: Service Attack Or Privilege Escalation
id: e2f4a990-service-privesc
status: experimental
description: Detects suspicious service creation or modification linked to privilege escalation
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
detection:
selection:
EventID:
- 7045
- 4697
condition: selection
fields:
- ServiceName
- ImagePath
falsepositives:
- Legitimate software installs
level: high
tags:
- attack.persistence
- attack.privilege_escalation
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Service ACL review | Remove weak permissions | Critical | Core prevention |
| Quote service paths | Fix unquoted paths | Critical | Removes classic abuse |
| Protect service binaries | Restrict write access | Critical | Prevent replacement |
| Sysmon registry visibility | Enable service key monitoring | High | Detect changes early |
| Service baseline | Track legitimate services | High | Detect drift |