| 1 | title: New Windows Service Installed |
| 2 | id: adfa52d1-fd8a-4095-ae3f-5708ec0ff71b |
| 3 | status: experimental |
| 4 | description: > |
| 5 | Detects installation of a new Windows service (System event 7045). Service creation is a |
| 6 | common persistence and privilege-execution mechanism; tuned to flag services pointing at |
| 7 | user-writable paths or script interpreters. |
| 8 | references: |
| 9 | - https://attack.mitre.org/techniques/T1543/003/ |
| 10 | author: Zion Boggan |
| 11 | date: 2026-05-14 |
| 12 | tags: |
| 13 | - attack.persistence |
| 14 | - attack.t1543.003 |
| 15 | logsource: |
| 16 | product: windows |
| 17 | service: system |
| 18 | detection: |
| 19 | selection: |
| 20 | EventID: 7045 |
| 21 | Provider_Name: 'Service Control Manager' |
| 22 | selection_susp: |
| 23 | ImagePath|contains: |
| 24 | - '\Users\' |
| 25 | - '\AppData\' |
| 26 | - '\Temp\' |
| 27 | - '\ProgramData\' |
| 28 | - 'powershell' |
| 29 | - 'cmd.exe /c' |
| 30 | - 'cmd /c' |
| 31 | - 'rundll32' |
| 32 | condition: selection and selection_susp |
| 33 | falsepositives: |
| 34 | - Some software installs services from ProgramData; baseline known-good ImagePaths. |
| 35 | level: high |