T1569: System Services

Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence (Create or Modify System Process), but adversaries can also abuse services for one-time or temporary execution.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

Subtechniques

Detection

IDDS0024Data source and componentWindows Registry: Windows Registry Key ModificationDescription

Monitor for changes made to windows registry keys and/or values that may abuse system services or daemons to execute commands or programs.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor newly executed processes that may abuse system services or daemons to execute commands or programs.

IDDS0019Data source and componentService: Service CreationDescription

Monitor for newly constructed services/daemons to execute commands or programs.

IDDS0022Data source and componentFile: File ModificationDescription

Monitor for changes made to files that may abuse system services or daemons to execute commands or programs.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor for command line invocations of tools capable of modifying services that doesn’t correspond to normal usage patterns and known software, patch cycles, etc.

Mitigation

IDM1026NamePrivileged Account ManagementDescription

Ensure that permissions disallow services that run at a higher permissions level from being created or interacted with by a user with a lower permission level.

IDM1018NameUser Account ManagementDescription

Prevent users from installing their own launch agents or launch daemons.

IDM1040NameBehavior Prevention on EndpointDescription

On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by PsExec from running.

IDM1022NameRestrict File and Directory PermissionsDescription

Ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level.