Artifact Analysis: System Modifications & Persistence (Event 7045, 4698, 4720)

Note

Executive Summary: After achieving initial access, adversaries must secure their foothold and elevate privileges to ensure their malicious payloads survive system reboots. This is the Persistence and Privilege Escalation phase. By monitoring specific critical system modifications—namely the creation of Windows Services, Scheduled Tasks, and rogue administrative accounts—DFIR analysts can detect these behaviors. These actions leave indelible, high-fidelity footprints within the Windows System and Security event logs.

1. Service Creation: The Ultimate Persistence (Event 7045)

Windows services execute in the background, typically during the boot process, and often run with the highest system privileges (NT AUTHORITY\SYSTEM). This makes them the holy grail for attacker persistence and lateral movement execution.

Event ID 7045 (“A service was installed in the system”) is generated in the System log whenever a new service is registered with the Service Control Manager (SCM).

DFIR Hunting Focus

Parsing an Event 7045 record yields critical forensic artifacts:

• Service Name: The name assigned to the service. Attackers often use typosquatting to mimic legitimate services (e.g., WinDefendSvc instead of WinDefend).
• Service File Name (Critical): The absolute file path of the executable that the service will launch.
  • Red Flag: A path pointing to a world-writable directory like C:\Users\Public\, C:\PerfLogs\, or a temporary folder (%TEMP%).
• Service Account: The account context under which the service executes (usually LocalSystem).

Tip

Correlation with Lateral Movement: As detailed in our PsExec Analysis, the execution of PsExec over the network relies entirely on dropping a binary and generating an Event 7045 (typically for a service named PSEXESVC) on the target machine. Event 7045 is the primary artifact for proving remote code execution via SMB.

2. Scheduled Tasks: The Most Common Persistence (Event 4698)

Scheduled tasks allow an adversary to execute a program at a specific time, on a recurring interval, or triggered by a specific system event (like user logon). It is a highly popular, native “Living off the Land” persistence mechanism.

Event ID 4698 (“A scheduled task was created”) is generated in the Security log.

The Auditing Prerequisite

Unlike Service Creation, Event 4698 is not logged by default. To capture this vital telemetry, administrators must enable the specific audit policy via GPO: Advanced Audit Policy Configuration > Object Access > Audit Other Object Access Events (Set to Success).

DFIR Hunting Focus

• Command / Action: The exact script or binary executed by the task. Analysts must look for tasks invoking powershell.exe, cmd.exe, wscript.exe, or mshta.exe passing obfuscated parameters (e.g., Base64 encoded payloads).
• Author: The user account that created the task. A compromised standard user creating tasks running as SYSTEM indicates a privilege escalation exploit has occurred.

3. Account and Group Manipulation: Privilege Escalation

Threat actors frequently create “backdoor accounts” or add existing compromised accounts to highly privileged groups to maintain administrative access.

Account Creation (Event 4720)

A user account was created. Look for accounts created with names mimicking IT staff (e.g., sysadmin, backup_svc, temp_admin). The Subject field reveals which compromised account was used to execute the net user command.

Group Manipulation (Events 4728, 4732, 4756)

A member was added to a security-enabled group. These events track additions to Global, Local, and Universal groups. The most critical alerts occur when an adversary adds a user to the Administrators, Domain Admins, or Remote Desktop Users groups, securing total system dominance.

4. Detection & Threat Hunting

Deploy the following queries in your SIEM to proactively hunt for anomalous system modifications indicating persistence mechanisms.

KQL (Malicious Services)

hunt_anomalous_services.kql

// Detects the installation of a Windows Service executing from a suspicious directory
Event
| where EventLog == "System" and EventID == 7045
| parse EventData with * '<Data Name="ServiceName">' ServiceName '</Data>' *
| parse EventData with * '<Data Name="ImagePath">' ImagePath '</Data>' *
| parse EventData with * '<Data Name="ServiceType">' ServiceType '</Data>' *
| parse EventData with * '<Data Name="StartType">' StartType '</Data>' *
| parse EventData with * '<Data Name="AccountName">' AccountName '</Data>' *
// Convert to lowercase for case-insensitive matching
| extend ImagePath = tolower(ImagePath)
// Filter for suspicious, world-writable, or temporary directories
| where ImagePath has_any ("\\users\\public\\", "\\perflogs\\", "\\windows\\temp\\", "\\appdata\\local\\temp\\")
   or ImagePath matches regex @"^.:\\[a-z0-9]+\.exe" // Executable dropped at root of a drive (e.g., C:\malware.exe)
| project TimeGenerated, Computer, ServiceName, ImagePath, StartType, AccountName
| sort by TimeGenerated desc

Splunk (Privileged Group Addition)

hunt_privileged_group_add.spl

# Detects when a user is added to a highly privileged local or domain group
index=windows sourcetype="WinEventLog:Security" EventCode IN (4728, 4732, 4756)
# Target critical security groups
| search Target_Group_Name IN ("Administrators", "Domain Admins", "Enterprise Admins", "Remote Desktop Users")
# Exclude routine automated administrative tasks (adjust for your environment)
| search NOT Subject_User_Name="*$"
| table _time, host, Subject_User_Name, Member_Name, Target_Group_Name, EventCode
| sort - _time

---

References & Further Reading

• SANS Institute: Windows Forensic Analysis
• MITRE ATT&CK: Create or Modify System Process: Windows Service (T1543.003)
• Related Artifact: PsExec and Lateral Movement Traces
• Related Artifact: Event ID 4688 (Process Creation)