Skip to content

4697 A service was installed in the system

Written when a new service is installed on the system. Because services run with SYSTEM privileges and survive reboots, they are heavily used for persistence and lateral movement, making this a cornerstone detection event.

Overview

The subcategory is Audit Security System Extension. It is generated when a new service is registered, recording the service name (ServiceName), the executable path (ServiceFileName), and the registering account. Because a service resides with high privilege and can auto-run at startup, it is an attractive foothold for attackers.

How it is triggered

  • Service registration via sc.exe, the Service Control Manager API, PsExec, and so on.
  • PsExec creates a temporary service (such as PSEXESVC) for remote execution, so 4697 is left behind during lateral movement too.
  • It also corresponds to System log Event ID 7045 (a new service).

Security review points

  • It maps to MITRE ATT&CK T1543.003 (Windows Service: creating or modifying services for persistence or privilege escalation). Strongly suspect it if ServiceFileName contains powershell / cmd, a temp-folder or admin-share path, or encoded arguments.
  • Watch also for masquerading that mimics a legitimate service name (T1036.004). Check the consistency of service name and executable path (whether a known service points to an unexpected path).
  • Remote service creation (the PsExec pattern) is a hallmark of lateral movement. Evaluate it together with the creating subject and source.

Notes for log review

  • Service installation also happens in legitimate operation (installers, updates). Narrow down suspicious binaries and scripts by the path and arguments in ServiceFileName.
  • A technique that writes directly to the registry HKLM\SYSTEM\CurrentControlSet\Services may, depending on configuration, not produce a 4697. Supplement it in layers with registry auditing 4657, Sysmon, and Event ID 7045.

Key fields

FieldMeaning
Service NameThe registered service name
Service File NameThe executable path and arguments; the most important focus
Service Type / Service Start TypeThe service type and start type (whether auto-start)
Subject\Account NameThe account that performed the registration

Glossary

  • Persistence — techniques that keep an attacker’s code running across reboots and logoffs. Service registration is a prime example.

References