|
Similar to scheduled tasks, malware can create a service or driver to establish itself on the breached system. Services have the advantage of potentially running under the LocalSystem account, giving them access to even more resources then the local Administrator. |
Just like with scheduled tasks, adding services is a popular method for malware to achieve persistence since:
1.The creation/deletion of service is often not monitored
2.Malicious services and drivers may blend in with other, legitimate services, due to the large number of services installed on modern Windows systems
EventSentry Benefits |
||
Service Monitoring Services and drivers can be monitored by both Windows and EventSentry, making it possible to detect suspicious changes in near real-time. For example, EventSentry supports comprehensive monitoring of services:
•The creation, deletion and change of any service can be logged to the event log, generating an alert •A complete inventory of all services and drivers can be viewed in the Web Reports •A history of all service changes (including status changes) is available in the Web Reports |
||
