Built off the open source project Osquery
Description: Search windows service creation events using the system logs event id 7045 from the past 30 days
What The Data Shows: All services created within the past 30 days with json extractions for relevant data. Sort and filter for rare service installs across the environment to identify potentially suspicious programs.
SQL:
select datetime, eventid, json_extract(windows_eventlog.data,'$.EventData.ServiceName') as 'ServiceName', json_extract(windows_eventlog.data,'$.EventData.ImagePath') as 'ImagePath', json_extract(windows_eventlog.data,'$.EventData.StartType') as 'StartType', json_extract(windows_eventlog.data,'$.EventData.AccountName') as 'AccountName', json_extract(windows_eventlog.data,'$.EventData.ServiceType') as 'ServiceType', data
from windows_eventlog
where channel = 'System'
and (eventid ='7045')
and data not like '%"ServiceName":"CB Defense"%'
and data not like '%"ServiceName":"Carbon Black%"%'
and datetime > datetime('now', '-30 day');
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.