Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg.
Adversaries may install a new service or modify an existing service by using system utilities to interact with services, by directly modifying the Registry, or by using custom tools to interact with the Windows API. Adversaries may configure services to execute at startup in order to persist on a system.
An adversary may also incorporate Masquerading by using a service name from a related operating system or benign software, or by modifying existing services to make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used.
Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through Service Execution.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
AC-17 | Remote Access | Protects | T1543.003 | Windows Service | |
AC-2 | Account Management | Protects | T1543.003 | Windows Service | |
AC-3 | Access Enforcement | Protects | T1543.003 | Windows Service | |
AC-5 | Separation of Duties | Protects | T1543.003 | Windows Service | |
AC-6 | Least Privilege | Protects | T1543.003 | Windows Service | |
CA-8 | Penetration Testing | Protects | T1543.003 | Windows Service | |
CM-11 | User-installed Software | Protects | T1543.003 | Windows Service | |
CM-2 | Baseline Configuration | Protects | T1543.003 | Windows Service | |
CM-5 | Access Restrictions for Change | Protects | T1543.003 | Windows Service | |
CM-6 | Configuration Settings | Protects | T1543.003 | Windows Service | |
CM-7 | Least Functionality | Protects | T1543.003 | Windows Service | |
IA-2 | Identification and Authentication (organizational Users) | Protects | T1543.003 | Windows Service | |
IA-4 | Identifier Management | Protects | T1543.003 | Windows Service | |
RA-5 | Vulnerability Monitoring and Scanning | Protects | T1543.003 | Windows Service | |
SI-4 | System Monitoring | Protects | T1543.003 | Windows Service | |
alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1543.003 | Windows Service |
Comments
This control may detect when the tscon.exe binary is installed as a service to exploit RDP sessions or when a rare service group is executed under SVCHOST. The following alerts may be generated: "Suspect service installation".
References
|
azure_sentinel | Azure Sentinel | technique_scores | T1543.003 | Windows Service |
Comments
The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can modify service binaries and restore them to their original states, but does not address other procedures.
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | technique_scores | T1543.003 | Windows Service |
Comments
This control's "Suspicious service creation (external ID 2026)" alert is able to detect suspicious service creation on a domain controller or AD FS server in your organization. As a result of this detecting being specific to these hosts, the coverage score is Minimal resulting in Minimal detection.
References
|
file_integrity_monitoring | File Integrity Monitoring | technique_scores | T1543.003 | Windows Service |
Comments
This control may detect changes to the Windows registry upon creation or modification of Windows services. This control may also detect changes to files used by systemd to create/modify systemd services. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
azure_defender_for_app_service | Azure Defender for App Service | technique_scores | T1543.003 | Windows Service |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Privesc-PowerUp modules on Windows, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
|