Event 4697: A service was installed in the system.
Quick Answer
Event 4697 logs the installation of new Windows services, a common technique for persistence, privilege escalation, and malware execution. Services run with SYSTEM privileges and survive reboots, making them attractive to attackers. Monitor this event to detect malicious service installation.
Technical Details
Event ID: 4697
Windows Security- System Change
Event Description
A service was installed in the system.
Key Log Fields
SubjectUserName- Account that installed the serviceSubjectDomainName- Domain of the accountSubjectLogonId- Logon ID for correlationServiceName- Name of the installed serviceServiceFileName- Full path to the service executableServiceType- Service type (0x1=kernel driver, 0x2=file system driver, 0x10=own process, 0x20=share process)ServiceStartType- Start type (0=boot, 1=system, 2=auto, 3=manual, 4=disabled)ServiceAccount- Account used to run the service
MITRE ATT&CK® Mapping (2)
Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Adversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API. Adversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex: `.sys`) to disk, the payload can be loaded and registered via [Native API](https://attack.mitre.org/techniques/T1106) functions such as `CreateServiceW()` (or manually via functions such as `ZwLoadDriver()` and `ZwSetValueKey()`), by creating the required service Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)), or by using command-line utilities such as `PnPUtil.exe`.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Unit42 AcidBox June 2020) Adversaries may leverage these drivers as [Rootkit](https://attack.mitre.org/techniques/T1014)s to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as "Bring Your Own Vulnerable Driver" (BYOVD)) as part of [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020) Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). To make detection analysis more challenging, malicious services may also incorporate [Masquerade Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component). Adversaries may also create ‘hidden’ services (i.e., [Hide Artifacts](https://attack.mitre.org/techniques/T1564)), for example by using the `sc sdset` command to set service permissions via the Service Descriptor Definition Language (SDDL). This may hide a Windows service from the view of standard service enumeration methods such as `Get-Service`, `sc query`, and `services.exe`.(Citation: SANS 1)(Citation: SANS 2)
Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039). [PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as [PsExec](https://attack.mitre.org/software/S0029) and <code>sc.exe</code> can accept remote servers as arguments and may be used to conduct remote execution. Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.
Event Comparison
Event 4697 provides more detail than the older Event 7045. Both log service installations, but 4697 is a security event while 7045 is a system event.
What This Event Means
Event 4697 is generated whenever a new service is installed on a Windows system, recording the service name, executable path, service type, start mode, and the account that installed it. Windows services are powerful execution mechanisms that typically run with LocalSystem privileges, start automatically at boot time, and operate independently of user logons, making them highly valuable for attackers seeking persistent access. Malware families ranging from ransomware to banking trojans commonly install themselves as services to ensure execution persistence across reboots and to achieve elevated privileges. The event captures the complete service configuration including the executable path, which often reveals suspicious indicators such as binaries located in temporary directories, user-writable folders, or paths with random alphanumeric names. Service names themselves can be indicators, with attackers sometimes using names that mimic legitimate Windows services (e.g., 'WindowsUpdate' vs 'Windows Update') or generic names that blend into service lists. Remote service installation via PsExec or Service Control Manager remoting is a common lateral movement technique, where attackers install and start services on remote systems to execute payloads. Security analysts should baseline legitimate service installations in their environment, which outside of software deployments and patches should be relatively rare events. Any service installation outside maintenance windows, especially services configured to run non-standard executables or services installed via remote connections, warrants immediate investigation.
Security Implications
- Services running executables from %TEMP%, %APPDATA%, or user directories are highly suspicious
- Services with SYSTEM privileges but obfuscated or random names indicate malware
- Remote service installation (via SMB or RPC) is a primary lateral movement technique
- Services that execute script interpreters (powershell.exe, cmd.exe) with parameters suggest malicious activity
- Immediate service start after installation with no reboot required is an attacker preference for fast execution
Detection Strategies
Alert on all service installations and require them to be correlated with approved change management tickets or software deployment activities. Flag services installed from unexpected paths, particularly user-writable directories and network shares. Monitor for services installed via remote connections (check source IP in related 4624 logon events). Create alerts for services with names that nearly match legitimate Windows services but have subtle differences. Track services installed with AUTO_START that launch immediately, as these provide instant execution for attackers. Correlate service installation with process creation (4688) to see what executable the service runs and with what parameters. Examine the installing account to ensure it's an authorized administrative account operating during approved maintenance windows. Detailed detection signatures for major SIEM platforms will be added in upcoming releases.
Note: Comprehensive SIEM detection queries for Splunk SPL, Microsoft KQL, and Elastic Query DSL will be added in future updates.
Real-World Attack Examples
Ryuk ransomware installs services with random names to execute encryption routines with SYSTEM privileges across enterprises
APT41 group uses services for persistence, installing backdoors as services that beacon to command-and-control infrastructure
PsExec lateral movement creates ephemeral PSEXESVC services, visible in 4697 events during active attacker operations