1. Home
  2. ATT&CK Techniques
  3. T1543.003 Windows Service

T1543.003 Windows Service

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.

Adversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API.

Adversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex: .sys) to disk, the payload can be loaded and registered via Native API functions such as CreateServiceW() (or manually via functions such as ZwLoadDriver() and ZwSetValueKey()), by creating the required service Registry values (i.e. Modify Registry), or by using command-line utilities such as PnPUtil.exe.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Unit42 AcidBox June 2020) Adversaries may leverage these drivers as Rootkits to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as "Bring Your Own Vulnerable Driver" (BYOVD)) as part of Exploitation for Privilege Escalation.(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020)

Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through Service Execution.

To make detection analysis more challenging, malicious services may also incorporate Masquerade Task or Service (ex: using a service and/or payload name related to a legitimate OS or benign software component). Adversaries may also create ‘hidden’ services (i.e., Hide Artifacts), for example by using the sc sdset command to set service permissions via the Service Descriptor Definition Language (SDDL). This may hide a Windows service from the view of standard service enumeration methods such as Get-Service, sc query, and services.exe.(Citation: SANS 1)(Citation: SANS 2)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-01.01 Configuration baselines Mitigates T1543.003 Windows Service
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
    PR.PS-01.02 Least functionality Mitigates T1543.003 Windows Service
    Comments
    This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
    References
      DE.CM-03.03 Privileged account monitoring Mitigates T1543.003 Windows Service
      Comments
      This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
      References
        DE.CM-09.01 Software and data integrity checking Mitigates T1543.003 Windows Service
        Comments
        This diagnostic statement protects against Windows Service through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
        References
          PR.PS-01.03 Configuration deviation Mitigates T1543.003 Windows Service
          Comments
          This diagnostic statement provides protection from Create or Modify System Process: Windows Service through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
          References
            PR.AA-01.01 Identity and credential management Mitigates T1543.003 Windows Service
            Comments
            This diagnostic statement protects against Windows Service through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
            References

              NIST 800-53 Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              CM-05 Access Restrictions for Change mitigates T1543.003 Windows Service
              CM-11 User-installed Software mitigates T1543.003 Windows Service
              CM-02 Baseline Configuration mitigates T1543.003 Windows Service
              IA-02 Identification and Authentication (Organizational Users) mitigates T1543.003 Windows Service
              AC-02 Account Management mitigates T1543.003 Windows Service
              AC-03 Access Enforcement mitigates T1543.003 Windows Service
              AC-05 Separation of Duties mitigates T1543.003 Windows Service
              AC-06 Least Privilege mitigates T1543.003 Windows Service

              VERIS Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1543.003 Windows Service
              action.malware.variety.RAT Remote Access Trojan. Parent of 'Backdoor' and 'Trojan' related-to T1543.003 Windows Service
              attribute.integrity.variety.Software installation Software installation or code modification related-to T1543.003 Windows Service

              Azure Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring technique_scores T1543.003 Windows Service
              Comments
              This control may detect changes to the Windows registry upon creation or modification of Windows services. This control may also detect changes to files used by systemd to create/modify systemd services. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
              References
              1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview
              alerts_for_windows_machines Alerts for Windows Machines technique_scores T1543.003 Windows Service
              Comments
              This control may detect when the tscon.exe binary is installed as a service to exploit RDP sessions or when a rare service group is executed under SVCHOST. The following alerts may be generated: "Suspect service installation".
              References
              1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers
              2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-windows-machines
              defender_for_app_service Microsoft Defender for Cloud: Defender for App Service technique_scores T1543.003 Windows Service
              Comments
              This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Privesc-PowerUp modules on Windows, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
              References
              1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-app-service-introduction

              GCP Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              google_secops Google Security Operations technique_scores T1543.003 Windows Service
              Comments
              Google Security Ops is able to trigger an alert based on system process modifications to existing Windows services which could indicate a malicious payload (e.g., "C:\\Windows\\System32\\sc.exe", "C:\\Windows\\System32\\cmd.exe"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/underminer_exploit_kit_delivers_malware.yaral
              References
              1. ['https://cloud.google.com/security/products/security-operations'
              2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
              3. 'https://github.com/chronicle/detection-rules']