The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Search/Hunt for Persistence through Windows Services installed within the Past 30 days

Description: Search windows service creation events using the system logs event id 7045 from the past 30 days

What The Data Shows: All services created within the past 30 days with json extractions for relevant data. Sort and filter for rare service installs across the environment to identify potentially suspicious programs.  

SQL: 

select datetime, eventid,
json_extract(windows_eventlog.data,'$.EventData.ServiceName') as 'ServiceName',
json_extract(windows_eventlog.data,'$.EventData.ImagePath') as 'ImagePath',
json_extract(windows_eventlog.data,'$.EventData.StartType') as 'StartType',
json_extract(windows_eventlog.data,'$.EventData.AccountName') as 'AccountName',
json_extract(windows_eventlog.data,'$.EventData.ServiceType') as 'ServiceType',
data

from windows_eventlog
where channel = 'System'
and (eventid ='7045')
and data not like '%"ServiceName":"CB Defense"%'
and data not like '%"ServiceName":"Carbon Black%"%'
and datetime > datetime('now', '-30 day');

 

5 Comments
jnelson
Carbon Black Employee
Status changed to: Approved
 
chriswelber
New Contributor III

I get "Unable to parse response: Parse error at offset 0: Inval..." when I try to run it in Live Query.

It looks great. 

Thanks.

jnelson
Carbon Black Employee

@chriswelber are you running this query in CB Response or in the Carbon Black Cloud?

chriswelber
New Contributor III

How would this effect the results?

Thannk!

jnelson
Carbon Black Employee

@chriswelber sorry for the delayed response... Live Query in CB Response is beta and there can be issues with queries.