Severice Creation Logs: Security 4697 and System 7045
Create Service
# Define service parameters
$serviceName = "MyTestService"
$serviceDisplayName = "MY Test Service"
$serviceDescription = "This is a test service created for demonstration purposes."
$serviceExecutablePath = "C:\Windows\System32\cmd.exe"
# Create the new service
New-Service -Name $serviceName -DisplayName $serviceDisplayName -Description $serviceDescription -BinaryPathName $serviceExecutablePath -StartupType Automatic
# Start the service
Start-Service -Name $serviceName
write-eventlog
New-EventLog -LogName System -Source "ATTA"
# Define event log parameters
$eventLogName = "System"
$source = "ATTA"
$eventId = 7045
$entryType = "Information" # Can be "Error", "Warning", "Information", "SuccessAudit", or "FailureAudit"
$message = "You have been served."
# Write to the event log
Write-EventLog -LogName $eventLogName -Source $source -EventId $eventId -EntryType $entryType -Message $message
Write-EventLog -> EventLog.WriteEntry -> InternalWriteEvent -> UnsafeNativeMethods.ReportEvent -> Advapi32.dll!ReportEvent
https://referencesource.microsoft.com/#System/compmod/microsoft/win32/UnsafeNativeMethods.cs,371
Reminders for lab:
Press "h" to convert hex strings to decimal and back "search immediate" for the values referenced in operands