Windows Services Event Logs

Windows Services Event Logs: Detecting and Investigating Malicious Activity

Windows services are integral to the functioning of both the operating system and installed applications. However, attackers often exploit services for persistence, privilege escalation, and command and control (C2). This lesson focused on using Windows Event Logs to detect and analyze suspicious service activity.

Key Insights

Types of Services

  1. System Services

    • Critical for OS functionality, such as device drivers and core utilities.

    • Examples: Windows Update, Print Spooler.

  2. Application Services

    • Installed by third-party applications to support their operations.

    • Examples: SQL Server, Backup Utilities.

Common Attack Scenarios

  1. Service Creation

    • Objective: Attackers create new services to execute malicious binaries persistently.

    • Example: A malicious service pointing to C:\Users\UserName\Documents\Windows Update.exe.

  2. Service Modification

    • Objective: Modify legitimate services to point to malicious executables.

    • Example: Changing the binary path of a legitimate service to run a malware payload.

  3. Service Disruption

    • Objective: Stop or disable critical services to impact system availability or cover tracks.

    • Example: Stopping the Windows Defender service to disable antivirus protection.

Key Event Logs for Windows Services

1. Event ID 7045 (Service Installation)

  • Log Location: System Logs

  • Details: Records the creation of a new service.

  • Captured Information:

    • Service Name and Display Name

    • Binary Path (location of the executable)

    • Start Type (Manual, Automatic, or Disabled)

    • Service Type (User Mode or Kernel Mode)

Example:

Service Name: WindowsUpdateCritical  
Binary Path: C:\Users\UserName\Documents\Windows Update.exe  
Start Type: Automatic  
Service Type: User Mode

Analysis:

  • Suspicious Binary Path: Legitimate services typically run from trusted directories like C:\Windows\System32.

  • Misleading Service Name: Names mimicking legitimate services (e.g., Windows Update) warrant further investigation.

2. Event ID 7040 (Service Configuration Change)

  • Details: Logs changes to a service’s start type.

  • Use Case:

    • Detect when a service’s start type changes from Manual to Automatic, indicating persistence.

3. Event ID 7036 (Service State Change)

  • Details: Tracks service state changes, such as start or stop events.

  • Use Case:

    • Detect abnormal stopping or restarting of critical services, which may indicate tampering.

Steps to Investigate Malicious Services

1. Filter for Event ID 7045

  • Focus on newly created services within the incident’s timeframe.

2. Analyze Service Details

  • Binary Path:

    • Legitimate binaries typically reside in trusted directories like C:\Windows\System32.

    • Suspicious binaries may be located in user directories or temp folders.

  • Service Name:

    • Attackers often use misleading names to blend in (e.g., Windows Update Service, System Helper).

3. Check the Binary

  • Upload to VirusTotal:

    • Quickly verify if the binary is flagged as malicious.

  • Further Analysis:

    • Perform static and dynamic analysis if VirusTotal results are inconclusive.

Defensive Recommendations

  1. Monitor Service Creation Events

    • Regularly review Event ID 7045 to identify new service installations.

  2. Baseline Normal Services

    • Maintain a baseline of legitimate services running on critical systems to quickly detect anomalies.

  3. Harden Service Permissions

    • Restrict permissions for service creation and modification, particularly on critical servers.

  4. Implement SIEM Rules

    • Use a SIEM solution to set up alerts for:

      • Event ID 7045: Detect new service creation.

      • Event ID 7040: Monitor changes to service configurations.

      • Event ID 7036: Track suspicious service state changes.

Key Points

Windows services provide a rich attack surface for adversaries, making their monitoring a critical aspect of system defense. By focusing on key Event IDs (7045, 7040, 7036) and correlating service-related logs, analysts can effectively detect and respond to malicious activities.

PreviousWindows Scheduled Tasks Event LogsNextAccount Management Events

Last updated