security analyst security skill risk: low
Windows Service Installation Threat Hunter
This prompt outlines steps to parse .evtx System event logs for Event ID 7045, extract service details, flag suspicious binary paths, and generate a JSON threat hunting report with…
SKILL 4 files · 2 folders
SKILL.md
--- name: hunting-for-unusual-service-installations description: "Detect suspicious Windows service installations (MITRE ATT&CK T1543.003) by parsing System event logs for Event" --- # Hunting for Unusual Service Installations ## Overview Attackers frequently install malicious Windows services for persistence and privilege escalation (MITRE ATT&CK T1543.003 — Create or Modify System Process: Windows Service). Event ID 7045 in the System event log records every new service installation. This skill parses .evtx log files to extract service installation events, flags suspicious binary paths (temp directories, PowerShell, cmd.exe, encoded commands), and correlates with known attack patterns. ## When to Use - When investigating security incidents that require hunting for unusual service installations - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Python 3.9+ with `python-evtx`, `lxml` - Windows System event log (.evtx) files - Access to live System event log (optional, for real-time monitoring) - Sysmon logs for enhanced process tracking (optional) ## Steps 1. Parse System.evtx for Event ID 7045 (new service installed) 2. Extract service name, binary path, service type, and account 3. Flag services with suspicious binary paths (temp dirs, encoded commands) 4. Detect PowerShell-based service creation patterns 5. Identify services running as LocalSystem with unusual paths 6. Cross-reference with known legitimate service baselines 7. Generate threat hunting report with MITRE ATT&CK T1543.003 mapping ## Expected Output - JSON report listing all new service installations with risk scores, suspicious indicators, and remediation recommendations - Timeline of service installation events with binary path analysis
REQUIRED CONTEXT
- .evtx log files
- Python 3.9+ with python-evtx and lxml
OPTIONAL CONTEXT
- Sysmon logs
- live System event log access
- legitimate service baselines
EXPECTED OUTPUT
- Format
- json
- Schema
- json_report · new service installations, risk scores, suspicious indicators, remediation recommendations, Timeline of service installation events with binary path analysis
- Constraints
- include risk scores and suspicious indicators
- map to MITRE ATT&CK T1543.003
- provide remediation recommendations
SUCCESS CRITERIA
- Parse System.evtx for Event ID 7045
- Extract service name, binary path, service type, and account
- Flag services with suspicious binary paths
- Generate threat hunting report with MITRE ATT&CK T1543.003 mapping
CAVEATS
- Dependencies
- Python 3.9+ with `python-evtx`, `lxml`
- Windows System event log (.evtx) files
- Access to live System event log (optional, for real-time monitoring)
- Sysmon logs for enhanced process tracking (optional)
- Missing context
- Exact JSON schema or field definitions for the report
- Concrete list of suspicious path patterns or regexes
- Baseline legitimate services examples
QUALITY
- OVERALL
- 0.74
- CLARITY
- 0.85
- SPECIFICITY
- 0.70
- REUSABILITY
- 0.65
- COMPLETENESS
- 0.75
IMPROVEMENT SUGGESTIONS
- Add a minimal Python code skeleton or function signature under Steps
- Define risk scoring rubric (e.g., how temp-dir vs encoded command scores are assigned)
USAGE
Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.
MORE FOR SECURITY ANALYST
- Ransomware Network Indicators Analyzersecurity analystsecurity
- APT TTP Mapping with MITRE Navigatorsecurity analystsecurity
- Linux Persistence Mechanisms Analyzersecurity analystsecurity
- Azure AD Lateral Movement KQL Detectorsecurity analystsecurity
- Kerberos Golden Ticket Forgery Detectorsecurity analystsecurity
- LOLBAS Abuse Detection with Sigma Rulessecurity analystsecurity
- Shadow IT Cloud Usage Detectorsecurity analystsecurity
- Registry Run Key Persistence Detection Guidesecurity analystsecurity
- Detect Risky OAuth Consent Grants in Entra IDsecurity analystsecurity
- Web Server Log Intrusion Analyzersecurity analystsecurity
- RDP Brute Force Event Log Analyzersecurity analystsecurity
- Rekall Memory Forensics Artifact Extractorsecurity analystsecurity
- Azure Activity Logs Threat Analyzersecurity analystsecurity
- Scapy Network Packet Analysis Guidesecurity analystsecurity
- TLS Certificate Transparency Log Analyzersecurity analystsecurity
- Cobalt Strike Malleable C2 Profile Analyzersecurity analystsecurity
- Email Account Compromise Detection Proceduressecurity analystsecurity
- Credential Stuffing Auth Log Analyzersecurity analystsecurity
- MISP Threat Intelligence Sharing with PyMISPsecurity analystsecurity
- MISP Threat Landscape Analysis Guidesecurity analystsecurity
- Malicious Scheduled Task Sysmon Detectorsecurity analystsecurity
- Kerberos Pass-the-Ticket Attack Detectorsecurity analystsecurity
- NTLM Relay Attack Event Log Analyzersecurity analystsecurity
- Linux Memory Forensics with LiME and Volatilitysecurity analystsecurity
- Insider Data Exfiltration DLP Analyzersecurity analystsecurity