SOC Prime Bias: High

08 Jul 2026 16:01 UTC

Windows Service Published Through Administrator Access

Author Photo
SOC Prime Team linkedin icon Follow
Windows Service Published Through Administrator Access
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

Threat actors abuse Windows services to run code with elevated privileges and establish persistence on compromised systems. Common approaches include creating new services with sc.exe or PowerShell, changing existing service binary paths, modifying service permissions through SDDL, and abusing service recovery settings to launch malicious commands when a service fails. More advanced methods involve using Windows APIs to avoid command-line visibility or installing kernel-mode drivers.

Investigation

The report outlines multiple techniques for manipulating Windows services and shows how attackers can rely on native tools such as sc.exe, PowerShell, and registry changes. It explains how service recovery options can be hijacked to execute payloads and how kernel-mode drivers may be introduced for deeper system access. The investigation also identifies key Windows Event IDs and registry locations that provide useful telemetry for detecting this behavior.

Mitigation

Organizations should apply layered defenses by enabling auditing on service-related registry locations, including the Services hive and relevant recovery configuration keys. Monitoring Windows Event IDs such as 7045, 7024, 4657, and 4663 is essential for spotting service creation or modification. Defenders should also protect against service permission tampering and track unauthorized kernel driver installation activity.

Response

When suspicious service activity is detected, responders should investigate the initiating process and its parent-child chain, especially cases where services.exe launches unexpected shell processes. Registry changes should be correlated with API activity such as CreateServiceW, and systems should be reviewed for unauthorized driver loads. The integrity of service binary paths and recovery settings should also be validated across the environment.

Attack Flow

We are still updating this part. Sign up to get notified

Notify Me

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: The adversary has gained initial access and seeks to maintain a foothold. To avoid detection by simple file-based antivirus, they decide to use a Living-off-the-Land approach by creating a new Windows Service named “WindowsUpdateSvc” (a deceptive name). This service is configured to run a malicious PowerShell encoded command. The creation of this service will generate a Windows System Event ID 7045, which is the primary trigger for the detection rule.

  • Regression Test Script:

    # Simulation of T1543.003: Creating a malicious service to trigger Event ID 7045
    $ServiceName = "WindowsUpdateSvc"
    $Payload = "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command 'Write-Output "Persistence Established" | Out-File C:temppwned.txt'"
    
    # Create the service
    # Note: This requires administrative privileges
    New-Service -Name $ServiceName -BinaryPathName $Payload -DisplayName "Windows Update Service" -StartupType Automatic
    
    Write-Host "Service $ServiceName created. Check System Event Logs for Event ID 7045."
  • Cleanup Commands:

    # Cleanup: Remove the malicious service and any created files
    $ServiceName = "WindowsUpdateSvc"
    Stop-Service -Name $ServiceName -ErrorAction SilentlyContinue
    sc.exe delete $ServiceName
    if (Test-Path "C:temppwned.txt") { Remove-Item "C:temppwned.txt" }
    Write-Host "Cleanup complete."