Description: Review events related to Windows Services.
Location:
Notes: The System.evtx log tracks activity associated to Windows Services:
The Security.evtx log can be used to track when services are installed on a system:
Analysis: We can analyze modifications to Windows Services by reviewing various Event ID's
in the Services.evtx file. We can reference the Security.evtx to review installed services.
We can use Windows native Event Viewer application for analyzing .evtx files. On a Windows client,
double-clicking an .evtx file will automatically open the log inside of the Saved Logs
folder in Event Viewer.
To filter for a specific event, select Filter Current Log... to pull up a dialog box with
filtering option and input the Event ID you'd like to isolate.
Event ID: 7034 keeps track of services that have crashed unexpectedly.
Event ID: 7040 records modifications to a services startup state. It's not uncommon for
attackers to attempt to disable critical security controls such as Anti-Virus.