T1543.003: Windows Service
| View on MITRE ATT&CK | T1543.003 |
|---|---|
| Tactic(s) | Persistence, Privilege Escalation |
| Associated CAPEC Patterns | Modification of Windows Service Configuration (CAPEC-478) |
Data from MITRE ATT&CK®:
Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Adversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API.
Adversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex: .sys) to disk, the payload can be loaded and registered via Native API functions such as CreateServiceW() (or manually via functions such as ZwLoadDriver() and ZwSetValueKey()), by creating the required service Registry values (i.e. Modify Registry), or by using command-line utilities such as PnPUtil.exe.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Unit42 AcidBox June 2020) Adversaries may leverage these drivers as Rootkits to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as "Bring Your Own Vulnerable Driver" (BYOVD)) as part of Exploitation for Privilege Escalation.(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020)
Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through Service Execution. To make detection analysis more challenging, malicious services may also incorporate Masquerade Task or Service (ex: using a service and/or payload name related to a legitimate OS or benign software component).
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Threat Assessment: Black Basta Ransomware
This threat assessment from Palo Alto's Unit 42 describes the Black Basta 'Ransomware as a Service' operation including TTPs (tactics, techniques ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
APT41 Has Arisen From the DUST
This report from Mandiant outlines APT41 activity observed since 2023 including successful compromises of logistic, media, technology and ...
Threat Group FIN7 Targets the U.S. Automotive Industry
In late 2023, BlackBerry analysts discovered a targeted attack by FIN7 on a U.S. automotive manufacturer, exploiting IT employees with higher ...
FamousSparrow: A suspicious hotel guest
This blog post by researchers from ESET describes the FamousSparrow APT group and associated custom backdoor 'SparrowDoor'. According to the post, ...
From OneNote to RansomNote: An Ice Cold Intrusion
This case report from The DFIR Report describes an intrusion which started with a malicious OneNote attachment. Opening the OneNote file led to ...
APT29 Uses WINELOADER to Target German Political Parties
This blog post by Mandiant describes activity by APT29, linked to Russia's SVR, which targeted German political parties with a new backdoor: ...
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed ...
The Updated APT Playbook: Tales from the Kimsuky threat actor group
This article by researchers at Rapid7 discusses recent activity by North Korean intrusion set 'Kimsuky'. Kimsuky is primarily focused on ...
Evasive Panda leverages Monlam Festival to target Tibetans
This report by researchers at ESET describes a campaign which they attribute to the China-aligned APT Evasive Panda. The report describes a ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Operating System Configuration
Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.User Account Management
Manage the creation, modification, use, and permissions associated to user accounts.Code Signing
Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.Audit
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.Behavior Prevention on Endpoint
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.How to detect this technique
MITRE ATT&CK Data Components
Driver Load (Driver)
Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )File Metadata (File)
Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Network Traffic Flow (Network Traffic)
Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)Windows Registry Key Modification (Windows Registry)
Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)Service Modification (Service)
Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs)OS API Execution (Process)
Operating system function/method calls executed by a processService Creation (Service)
Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)Windows Registry Key Creation (Windows Registry)
Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Sigma Detections for this Technique
Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
ProcessHacker Privilege Elevation
Remote Access Tool Services Have Been Installed - Security
Potential Persistence Attempt Via Existing Service Tampering
Service Installation in Suspicious Folder
Vulnerable WinRing0 Driver Load
Sysinternals PsSuspend Execution
Moriya Rootkit - System
Potential Discovery Activity Via Dnscmd.EXE
Malicious Driver Load
Uncommon Service Installation Image Path
Remote Access Tool Services Have Been Installed - System
Suspicious Service Installation Script
Malicious Service Installations
Vulnerable HackSys Extreme Vulnerable Driver Load
New Service Creation Using PowerShell
CobaltStrike Service Installations - System
Service Installation with Suspicious Folder Pattern
Suspicious Service Path Modification
Driver Load From A Temporary Directory
New PDQDeploy Service - Client Side
Vulnerable Driver Load
CobaltStrike Service Installations - Security
Potential CobaltStrike Service Installations - Registry
Sliver C2 Default Service Installation
New PDQDeploy Service - Server Side
Suspicious Service DACL Modification Via Set-Service Cmdlet
PSEXEC Remote Execution File Artefact
Sysinternals PsService Execution
New Service Creation Using Sc.EXE
Vulnerable Driver Load By Name
OilRig APT Registry Persistence
Suspicious Service Installation
Malicious Driver Load By Name
New Kernel Driver Via SC.EXE
Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
Suspicious New Service Creation
ServiceDll Hijack
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.