MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1543.003: Windows Service

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.

Adversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API.

Adversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex: .sys) to disk, the payload can be loaded and registered via Native API functions such as CreateServiceW() (or manually via functions such as ZwLoadDriver() and ZwSetValueKey()), by creating the required service Registry values (i.e. Modify Registry), or by using command-line utilities such as PnPUtil.exe. Adversaries may leverage these drivers as Rootkits to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as "Bring Your Own Vulnerable Driver" (BYOVD)) as part of Exploitation for Privilege Escalation.

Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through Service Execution.

To make detection analysis more challenging, malicious services may also incorporate Masquerade Task or Service (ex: using a service and/or payload name related to a legitimate OS or benign software component). Adversaries may also create ‘hidden’ services (i.e., Hide Artifacts), for example by using the sc sdset command to set service permissions via the Service Descriptor Definition Language (SDDL). This may hide a Windows service from the view of standard service enumeration methods such as Get-Service, sc query, and services.exe.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_execution: PT-CR-257: Windows_Service_Installed: An attempt to install a new service from non-system Windows directories is detected
hacking_tools: PT-CR-523: Remote_Connection_through_SMBEXEC_WinXP: Detection of attempts to exploit SMBExec for persistence
mitre_attck_lateral_movement: PT-CR-1752: Service_From_Remote_File_Creation: A service was created from a network directory
mitre_attck_lateral_movement: PT-CR-1981: SVCCTL_Connection: Remote connection to the Service Control Manager via svcctl that allows remote management of Windows services
mitre_attck_lateral_movement: PT-CR-226: Remoting_Impacket_PsExec: Remote code execution using Impacket PsExec is detected
mitre_attck_lateral_movement: PT-CR-589: Remoting_SysInternals_PsExec: Remote code execution using Sysinternals Suite PsExec is detected
mitre_attck_lateral_movement: PT-CR-785: Modify_and_Start_Remote_Service: An attempt to use code execution or lateral movement by changing a system service startup command is detected
mitre_attck_execution: PT-CR-217: Execute_PSEXEC: Detection of attempts to start the administrative utility PsExec or similar utilities
hacking_tools: PT-CR-1355: Sliver_GetSystem: Remote execution of the Sliver GetSystem command from the C2 framework Sliver is detected
hacking_tools: PT-CR-1356: Sliver_PsExec: Sliver PsExec module start from the C2 framework Sliver is detected
hacking_tools: PT-CR-1838: NimExec_Activity: The activity of the NimExec tool used to remotely execute commands is detected
mitre_attck_execution: PT-CR-778: Hidden_Service_Create: Creation of a hidden service from the registry without using the CreateService function is detected
mitre_attck_persistence: PT-CR-271: Service_Created_or_Modified: An attempt to perform operations on Microsoft Windows services using the command line or PowerShell is detected
hacking_tools: PT-CR-752: Cobalt_Strike_Psexec_Jump: Lateral movement using Cobalt Strike's PSexec is detected
mitre_attck_cred_access: PT-CR-1363: Masky_Tool_Usage: The use of the Masky tool is detected. Masky tool is designed to obtain NT hashes and TGT of users working on attacked hosts in order to request certificates on their behalf.

Detection

IDDS0019Data source and componentService: Service ModificationDescription

Monitor for changes made to Windows services to repeatedly execute malicious payloads as part of persistence.

IDDS0027Data source and componentDriver: Driver LoadDescription

Monitor for new service driver installations and loads (ex: Sysmon Event ID 6) that are not part of known software update/patch cycles.

Note: Sysmon Event ID 6 (driver load) provides information on whether the loaded driver was signed with a valid signature (via the Signature and SignatureStatus fields). As such, one way to help reduce the volume of alerts and false positives associated with this event is to filter and exclude any driver load events signed by common and legitimate publishers like Microsoft.

IDDS0029Data source and componentNetwork Traffic: Network Traffic FlowDescription

Monitor for several ways that code can execute on a remote host. One of the most common methods is via the Windows Service Control Manager (SCM), which allows authorized users to remotely create and modify services. Several tools, such as PsExec, use this functionality.

When a client remotely communicates with the Service Control Manager, there are two observable behaviors. First, the client connects to the RPC Endpoint Mapper over 135/tcp. This handles authentication, and tells the client what port the endpoint—in this case the SCM—is listening on. Then, the client connects directly to the listening port on services.exe. If the request is to start an existing service with a known command line, the the SCM process will run the corresponding command.

This compound behavior can be detected by looking for services.exe receiving a network connection and immediately spawning a child process.

IDDS0009Data source and componentProcess: Process CreationDescription

Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

Windows runs the Service Control Manager (SCM) within the process services.exe. Windows launches services as independent processes or DLL loads within a svchost.exe group. To be a legitimate service, a process (or DLL) must have the appropriate service entry point SvcMain. If an application does not have the entry point, then it will timeout (default is 30 seconds) and the process will be killed.

To survive the timeout, adversaries and red teams can create services that direct to cmd.exe with the flag /c, followed by the desired command. The /c flag causes the command shell to run a command and immediately exit. As a result, the desired program will remain running and it will report an error starting the service. This analytic will catch that command prompt instance that is used to launch the actual malicious executable. Additionally, the children and descendants of services.exe will run as a SYSTEM user by default.

Note: Create a baseline of services seen over the last 30 days and a list of services seen today. Remove services in the baseline from services seen today, leaving a list of new services. Returns all processes named cmd.exe that have services.exe as a parent process. Because this should never happen, the /c flag is redundant in the search.

Analytic 2 - Services launching CMD

(source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="*WinEventLog:Security" EventCode="4688") Image="*cmd.exe" and ParantImage="*services.exe"

IDDS0009Data source and componentProcess: OS API ExecutionDescription

Monitor for API calls that may create or modify Windows services (ex: CreateServiceW()) to repeatedly execute malicious payloads as part of persistence.

IDDS0024Data source and componentWindows Registry: Windows Registry Key ModificationDescription

Look for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Service information is stored in the Registry at HKLM\SYSTEM\CurrentControlSet\Services. Changes to the binary path and the service startup type changed from manual or disabled to automatic, if it does not typically do so, may be suspicious. Tools such as Sysinternals Autoruns may also be used to detect system service changes that could be attempts at persistence.

Analytic 1 - Modification of the HKLM\System\CurrentControlSet\Services Registry key

(source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode IN (13, 14) EventType= "SetValue" TargetObject="HKLM\System\CurrentControlSet\Services*" | where RegistryKeyPath LIKE "%ImagePath%" OR RegistryKeyPath LIKE "%Type%" OR RegistryKeyPath LIKE "%DisplayName%" OR RegistryKeyPath LIKE "%Objectname%"

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor processes and command-line arguments for actions that could create or modify services. Command-line invocation of tools capable of adding or modifying services may be unusual, depending on how systems are typically used in a particular environment. Services may also be modified through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data. Also collect service utility execution and service binary path arguments used for analysis. Service binary paths may even be changed to execute commands or scripts.

IDDS0024Data source and componentWindows Registry: Windows Registry Key CreationDescription

Monitor for new constructed windows registry keys that may create or modify Windows services to repeatedly execute malicious payloads as part of persistence.

Analytic 1 - Creation of the HKLM\System\CurrentControlSet\Services Registry key

source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="12" TargetObject="HKLM\System\CurrentControlSet\Services*"

IDDS0019Data source and componentService: Service CreationDescription

Creation of new services may generate an alterable event (ex: Event ID 4697 and/or 7045 ), especially those associated with unknown/abnormal drivers. New, benign services may be created during installation of new software.

Analytic 1 - Creation of new services with unusual directory paths such as temporal files in APPDATA

(source="*WinEventLog:Security" EventCode="4697") OR (source="*WinEventLog:System" EventCode="7045") | where ServiceFilePath LIKE "%APPDATA%" OR ServiceImage LIKE "%PUBLIC%"

IDDS0022Data source and componentFile: File MetadataDescription

Adversaries may modify the binary file for an existing service to achieve Persistence while potentially Defense Evasion. If a newly created or modified runs as a service, it may indicate APT activity. However, services are frequently installed by legitimate software. A well-tuned baseline is essential to differentiating between benign and malicious service modifications. Look for events where a file was created and then later run as a service. In these cases, a new service has been created or the binary has been modified. Many programs, such as msiexec.exe, do these behaviors legitimately and can be used to help validate legitimate service creations/modifications.

Mitigation

IDM1040NameBehavior Prevention on EndpointDescription

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system. On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed service drivers.

IDM1028NameOperating System ConfigurationDescription

Ensure that Driver Signature Enforcement is enabled to restrict unsigned drivers from being installed.

IDM1047NameAuditDescription

Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them.

IDM1045NameCode SigningDescription

Enforce registration and execution of only legitimately signed service drivers where possible.

IDM1018NameUser Account ManagementDescription

Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations.