Skip to main content
AI/MLplurigrid

hunting-for-unusual-service-installations

Detect suspicious Windows service installations (MITRE ATT&CK T1543.003) by parsing System event logs for Event ID 7045, analyzing service binary paths, and identifying indicators of persistence mechanisms.

Stars
23
Source
plurigrid/asi
Updated
2026-04-26
Slug
plurigrid--asi--hunting-for-unusual-service-installations
View on GitHubRaw SKILL.md

// install — copy + paste into any project

mkdir -p .claude/skills && curl -fsSL https://raw.githubusercontent.com/plurigrid/asi/HEAD/plugins/asi/skills/hunting-for-unusual-service-installations/SKILL.md -o .claude/skills/hunting-for-unusual-service-installations.md

Drops the SKILL.md into .claude/skills/hunting-for-unusual-service-installations.md. Works with Claude Code, Cursor, and any agent that loads SKILL.md files from .claude/skills/.

Hunting for Unusual Service Installations

Overview

Attackers frequently install malicious Windows services for persistence and privilege escalation (MITRE ATT&CK T1543.003 — Create or Modify System Process: Windows Service). Event ID 7045 in the System event log records every new service installation. This skill parses .evtx log files to extract service installation events, flags suspicious binary paths (temp directories, PowerShell, cmd.exe, encoded commands), and correlates with known attack patterns.

When to Use

  • When investigating security incidents that require hunting for unusual service installations
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • Python 3.9+ with python-evtx, lxml
  • Windows System event log (.evtx) files
  • Access to live System event log (optional, for real-time monitoring)
  • Sysmon logs for enhanced process tracking (optional)

Steps

  1. Parse System.evtx for Event ID 7045 (new service installed)
  2. Extract service name, binary path, service type, and account
  3. Flag services with suspicious binary paths (temp dirs, encoded commands)
  4. Detect PowerShell-based service creation patterns
  5. Identify services running as LocalSystem with unusual paths
  6. Cross-reference with known legitimate service baselines
  7. Generate threat hunting report with MITRE ATT&CK T1543.003 mapping

Expected Output

  • JSON report listing all new service installations with risk scores, suspicious indicators, and remediation recommendations
  • Timeline of service installation events with binary path analysis