Skill

hunting-for-unusual-service-installations

Parses Windows System event logs for Event ID 7045 to detect suspicious service installations, analyzes binary paths for persistence indicators (MITRE T1543.003), and generates risk reports.

Python

security

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Attackers frequently install malicious Windows services for persistence and privilege escalation (MITRE ATT&CK T1543.003 — Create or Modify System Process: Windows Service). Event ID 7045 in the System event log records every new service installation. This skill parses .evtx log files to extract service installation events, flags suspicious binary paths (temp directories, PowerShell, cmd.exe, e...

Supporting Assets

LICENSEreferences/api-reference.mdscripts/agent.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Hunting for Unusual Service Installations

Overview

When to Use

When investigating security incidents that require hunting for unusual service installations
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques

Prerequisites

Python 3.9+ with python-evtx, lxml
Windows System event log (.evtx) files
Access to live System event log (optional, for real-time monitoring)
Sysmon logs for enhanced process tracking (optional)

Steps

Parse System.evtx for Event ID 7045 (new service installed)
Extract service name, binary path, service type, and account
Flag services with suspicious binary paths (temp dirs, encoded commands)
Detect PowerShell-based service creation patterns
Identify services running as LocalSystem with unusual paths
Cross-reference with known legitimate service baselines
Generate threat hunting report with MITRE ATT&CK T1543.003 mapping

Expected Output

JSON report listing all new service installations with risk scores, suspicious indicators, and remediation recommendations
Timeline of service installation events with binary path analysis