Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services.(Citation: TechNet Services) On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons)
Adversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect.
Services, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges.(Citation: OSX Malware Detection)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.05 | Remote access protection | Mitigates | T1543 | Create or Modify System Process |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1543 | Create or Modify System Process |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1543 | Create or Modify System Process |
Comments
This diagnostic statement protects against Create or Modify System Process through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1543 | Create or Modify System Process |
Comments
This diagnostic statement protects against Create or Modify System Process through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
References
|
| DE.CM-09.03 | Unauthorized software, hardware, or configuration changes | Mitigates | T1543 | Create or Modify System Process |
Comments
This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1543 | Create or Modify System Process |
Comments
This diagnostic statement provides protection from Create or Modify System Process through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
References
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1543 | Create or Modify System Process |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
References
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1543 | Create or Modify System Process |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1543 | Create or Modify System Process |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| PR.PS-01.02 | Least functionality | Mitigates | T1543 | Create or Modify System Process |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1543 | Create or Modify System Process |
Comments
This diagnostic statement protects against Create or Modify System Process through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | technique_scores | T1543 | Create or Modify System Process |
Comments
This control can detect creation or modification of system-level processes.
References
|
| ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | technique_scores | T1543 | Create or Modify System Process |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1543 | Create or Modify System Process |
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1543 | Create or Modify System Process |
Comments
This control only addresses a minority of this technique's procedure examples and one of its sub-techniques resulting in an overall Minimal score.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1543 | Create or Modify System Process |
Comments
Google Security Ops is able to trigger an alert based on creation or modification to system-level processes on Windows machines.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_process_creation.yaral
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_inspector | Amazon Inspector | technique_scores | T1543 | Create or Modify System Process |
Comments
The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1543.003 | Windows Service | 21 |
| T1543.004 | Launch Daemon | 13 |
| T1543.005 | Container Service | 16 |
| T1543.001 | Launch Agent | 11 |
| T1543.002 | Systemd Service | 28 |