PT Network Attack Discovery

Helps reconstruct the attack timeline and understand the sources and scale of threats

T1543: Create or Modify System Process

Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters.

Adversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect.

Services, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges.

Positive Technologies products that cover the technique

Detection

To detect creation and modification of services, PT NAD has several detection rules and a special module.

Examples of PT NAD detection rules

  • ATTACK AD [PTsecurity] SCM Create remote service (sid 10004786)
  • ATTACK [PTsecurity] WMI Service Create (sid 10008740)

PT NAD detection modules

  • Remote creation or modification of Windows services

Detection

IDDS0019Data source and componentService: Service ModificationDescription

Monitor for changes to system processes that do not correlate with known software, patch cycles, etc., including by comparing results against a trusted system baseline.

IDDS0027Data source and componentDriver: Driver LoadDescription

Monitor for new service driver installations and loads (ex: Sysmon Event ID 6) that are not part of known software update/patch cycles.

IDDS0032Data source and componentContainer: Container CreationDescription

Monitor for newly constructed containers that repeatedly execute malicious payloads as part of persistence or privilege escalation.

IDDS0009Data source and componentProcess: Process CreationDescription

New, benign system processes may be created during installation of new software.

IDDS0009Data source and componentProcess: OS API ExecutionDescription

Monitor for API calls that may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence.

IDDS0024Data source and componentWindows Registry: Windows Registry Key ModificationDescription

Monitor for changes to windows registry keys and/or values that may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Command-line invocation of tools capable of modifying services may be unusual, depending on how systems are typically used in a particular environment. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques.

IDDS0024Data source and componentWindows Registry: Windows Registry Key CreationDescription

Monitor for newly constructed windows registry keys that may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence.

IDDS0022Data source and componentFile: File ModificationDescription

Monitor for changes to files associated with system-level processes.

IDDS0022Data source and componentFile: File CreationDescription

Monitor for newly constructed files that may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence.

IDDS0019Data source and componentService: Service CreationDescription

Monitor for newly constructed services/daemons that may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence.

Mitigation

IDM1018NameUser Account ManagementDescription

Limit privileges of user accounts and groups so that only authorized administrators can interact with system-level process changes and service configurations.

IDM1022NameRestrict File and Directory PermissionsDescription

Restrict read/write access to system-level process files to only select privileged users who have a legitimate need to manage system services.

IDM1026NamePrivileged Account ManagementDescription

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

IDM1028NameOperating System ConfigurationDescription

Ensure that Driver Signature Enforcement is enabled to restrict unsigned drivers from being installed.

IDM1033NameLimit Software InstallationDescription

Restrict software installation to trusted repositories only and be cautious of orphaned software packages.

IDM1040NameBehavior Prevention on EndpointDescription

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system. On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed drivers.

IDM1045NameCode SigningDescription

Enforce registration and execution of only legitimately signed service drivers where possible.

IDM1047NameAuditDescription

Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them.

IDM1054NameSoftware ConfigurationDescription

Where possible, consider enforcing the use of container services in rootless mode to limit the possibility of privilege escalation or malicious effects on the host running the container.