Networking
- Networking
Windows
Linux
Enterprise Architecture
Mac
- Forensics
  - Page 3
Attacker Information
IR Playbook
- Activity from Unmanaged Host
- Recommendations
Reverse Engineering
- Python - Pyinstaller

Powered by GitBook

On this page

Parse Data
Considerations
Audit Logs
Remote Artifacts
Anti-Forensics

Windows

Forensics

Event Logs

LOLBins

Services

PreviousScheduled Tasks NextWinRS

Last updated 1 year ago

File Location:

C:\Windows\config\SYSTEM

Service Registry Location:

HKLM\SYSTEM\CurrentControlSet\Services

Parse Data

Considerations

Audit Logs

System.evtx

7034: Service crashed unexpectedly
7035: Service sent a Start/Stop control
7040: Service started or stopped
7045: A new service was installed on the system (Win2008R2+).

Security.evtx

4697: A new service was installed on the system (Security log).

Remote Artifacts

Anti-Forensics

Hiding Services:

SANS Cyber Security Certifications & Research

Defense Spotlight: Finding Hidden Windows Services | SANS Institute