T1543.003 Windows Service Mappings

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg.

Adversaries may install a new service or modify an existing service by using system utilities to interact with services, by directly modifying the Registry, or by using custom tools to interact with the Windows API. Adversaries may configure services to execute at startup in order to persist on a system.

An adversary may also incorporate Masquerading by using a service name from a related operating system or benign software, or by modifying existing services to make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used.

Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through Service Execution.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-17 Remote Access Protects T1543.003 Windows Service
AC-2 Account Management Protects T1543.003 Windows Service
AC-3 Access Enforcement Protects T1543.003 Windows Service
AC-5 Separation of Duties Protects T1543.003 Windows Service
AC-6 Least Privilege Protects T1543.003 Windows Service
CA-8 Penetration Testing Protects T1543.003 Windows Service
CM-11 User-installed Software Protects T1543.003 Windows Service
CM-2 Baseline Configuration Protects T1543.003 Windows Service
CM-5 Access Restrictions for Change Protects T1543.003 Windows Service
CM-6 Configuration Settings Protects T1543.003 Windows Service
CM-7 Least Functionality Protects T1543.003 Windows Service
IA-2 Identification and Authentication (organizational Users) Protects T1543.003 Windows Service
IA-4 Identifier Management Protects T1543.003 Windows Service
RA-5 Vulnerability Monitoring and Scanning Protects T1543.003 Windows Service
SI-4 System Monitoring Protects T1543.003 Windows Service
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1543.003 Create or Modify System Process: Windows Service
action.malware.variety.RAT Remote Access Trojan. Parent of 'Backdoor' and 'Trojan' related-to T1543.003 Create or Modify System Process: Windows Service