title: Rare Service Installations
id: 66bfef30-22a5-4fcd-ad44-8d81e60922ae
status: test
description: Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services
author: Florian Roth
date: 2017/03/08
modified: 2022/03/21
logsource:
  product: windows
  service: system
detection:
  selection:
    Provider_Name: 'Service Control Manager'
    EventID: 7045
  timeframe: 7d
  condition: selection
falsepositives:
  - Software installation
  - Software updates
level: low
tags:
  - attack.persistence
  - attack.privilege_escalation
  - car.2013-09-005
  - attack.t1543.003