A large corporation has recently undergone a cyberattack. The forensic analyst finds suspicious activities in the Windows Event logs during the investigation. The analyst notes that a specific service on the machine has been frequently starting and stopping during the time of the attack. What event IDs should the analyst look for in the System log to confirm this suspicious behavior?
The forensic analyst should look for Event ID 7035 and Event ID 7036 in the System log to confirm the suspicious behavior. Event ID 7035 indicates that the service control manager has sent a start or stop control to a service. Event ID 7036 indicates that a service has entered a state such as running or stopped. Monitoring both these event IDs is essential to track the frequent starting and stopping of a service, which aligns with the symptoms observed during the cyberattack.
Event ID 7035: This event ID indicates that the service control manager has sent a start or stop control to a service. Event ID 7036: This event ID indicates that a service has entered a state, such as running or stopped. revealed to me in a vision.
A > For an example if host A had his service state changed from running to stopped then it will generate an event id 7035/7036 on the windows event log on the Windows Server.
The forensic analyst should look for the following event IDs in the System log to confirm suspicious behavior related to a service frequently starting and stopping: A. Event ID 7035 and Event ID 7036 Event ID 7035: This event ID indicates that a service control manager has requested a service to start or stop. Event ID 7036: This event ID indicates that a service has changed its state (started, stopped, etc.). These events are crucial for tracking the status changes of services on a Windows system and can help identify unusual or suspicious behavior.