Want to make service removal really fun? Create a service with a unicode name. The service will run but won't show in sc.exe, services.msc, or taskmgr.exe and will sometimes cause a critical error while trying to find it with PowerShell/WMI. Unicode wins again.🤦‍♂️
13
375
866
Curious what is displayed in the service creation events like 7045?
1
0
3
I'll get you an answer a little later today.
1
0
1
As promised, here are the events in both Event Viewer and PowerShell.

1:57 AM · Jan 18, 2020

1
0
10
If the 7045 event is missed. Is the only way to detect these Unicode created services via the services reg key location? From an IR lens, thinking of orgs without central logging and monitoring.
1
0
0
That’s my understanding from Matt’s testing. Now I’m curious how EDR vendors behave when processing these events and displaying that to an analyst.
0
0
0