Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Adversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API.
Adversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex: .sys
) to disk, the payload can be loaded and registered via Native API functions such as CreateServiceW()
(or manually via functions such as ZwLoadDriver()
and ZwSetValueKey()
), by creating the required service Registry values (i.e. Modify Registry), or by using command-line utilities such as PnPUtil.exe
.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Unit42 AcidBox June 2020) Adversaries may leverage these drivers as Rootkits to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as "Bring Your Own Vulnerable Driver" (BYOVD)) as part of Exploitation for Privilege Escalation.(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020)
Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through Service Execution. To make detection analysis more challenging, malicious services may also incorporate Masquerade Task or Service (ex: using a service and/or payload name related to a legitimate OS or benign software component).
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-02 | Account Management | Protects | T1543.003 | Windows Service |
AC-03 | Access Enforcement | Protects | T1543.003 | Windows Service |
AC-05 | Separation of Duties | Protects | T1543.003 | Windows Service |
AC-06 | Least Privilege | Protects | T1543.003 | Windows Service |
CM-11 | User-installed Software | Protects | T1543.003 | Windows Service |
CM-02 | Baseline Configuration | Protects | T1543.003 | Windows Service |
CM-05 | Access Restrictions for Change | Protects | T1543.003 | Windows Service |
IA-02 | Identification and Authentication (organizational Users) | Protects | T1543.003 | Windows Service |