Description
Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Adversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API.
Adversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex: .sys) to disk, the payload can be loaded and registered via Native API functions such as CreateServiceW() (or manually via functions such as ZwLoadDriver() and ZwSetValueKey()), by creating the required service Registry values (i.e. Modify Registry), or by using command-line utilities such as PnPUtil.exe.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Unit42 AcidBox June 2020) Adversaries may leverage these drivers as Rootkits to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as "Bring Your Own Vulnerable Driver" (BYOVD)) as part of Exploitation for Privilege Escalation.(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020)
Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through Service Execution.
To make detection analysis more challenging, malicious services may also incorporate Masquerade Task or Service (ex: using a service and/or payload name related to a legitimate OS or benign software component). Adversaries may also create ‘hidden’ services (i.e., Hide Artifacts), for example by using the sc sdset command to set service permissions via the Service Descriptor Definition Language (SDDL). This may hide a Windows service from the view of standard service enumeration methods such as Get-Service, sc query, and services.exe.(Citation: SANS 1)(Citation: SANS 2)
Platforms
Mitigations (5)
Behavior Prevention on EndpointM1040
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system.(Citation: Malicious Driver Reporting Center) On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed service drivers.(Citation: Microsoft driver block rules)
Operating System ConfigurationM1028
Ensure that Driver Signature Enforcement is enabled to restrict unsigned drivers from being installed.
AuditM1047
Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them.
Code SigningM1045
Enforce registration and execution of only legitimately signed service drivers where possible.
User Account ManagementM1018
Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations.
Threat Groups (26)
| ID | Group | Context |
|---|---|---|
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has installed a service pointing to a malicious DLL dropped to disk.(Citation: PWC KeyBoys Feb... |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has used vulnerable or signed drivers to modify security solutions on victim devices.(Citation: ... |
| G0105 | DarkVishnya | [DarkVishnya](https://attack.mitre.org/groups/G0105) created new services for shellcode loaders distribution.(Citation: Securelist DarkVishnya Dec 201... |
| G0143 | Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) created new Windows services for persistence that masqueraded as legitimate Windows services vi... |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has installed a new Windows service to establish persistence.(Citation: CISA AA20-239A BeagleBoyz Augus... |
| G0030 | Lotus Blossom | [Lotus Blossom](https://attack.mitre.org/groups/G0030) has configured tools such as [Sagerunex](https://attack.mitre.org/software/S1210) to run as Win... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) modified legitimate Windows services to install malware backdoors.(Citation: FireEye APT41 Aug 2019)(Ci... |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has installed [TrickBot](https://attack.mitre.org/software/S0266) as a service named ControlSer... |
| G0108 | Blue Mockingbird | [Blue Mockingbird](https://attack.mitre.org/groups/G0108) has made their XMRIG payloads persistent as a Windows Service.(Citation: RedCanary Mockingbi... |
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has used malware that adds cryptocurrency miners as a service.(Citation: ATT TeamTNT Chimaera Septemb... |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) modified multiple services on victim machines to enable encryption operations.(Citation: Symantec B... |
| G0073 | APT19 | An [APT19](https://attack.mitre.org/groups/G0073) Port 22 malware variant registers itself as a service.(Citation: Unit 42 C0d0so0 Jan 2016) |
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027)'s malware can create a new service, sometimes naming it after the config information, to ga... |
| G0004 | Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) backdoor RoyalDNS established persistence through adding a service called <code>Nwsapagent</code>.(C... |
| G0056 | PROMETHIUM | [PROMETHIUM](https://attack.mitre.org/groups/G0056) has created new services and modified existing services for persistence.(Citation: Bitdefender Str... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used a compromised Domain Controller to create a service on a remote host.(Citation: Symantec Cram... |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) modified Windows Services to ensure PowerShell scripts were loaded on the system. [APT32](https://attac... |
| G0008 | Carbanak | [Carbanak](https://attack.mitre.org/groups/G0008) malware installs itself as a service to provide persistence and SYSTEM privileges.(Citation: Kaspers... |
| G0022 | APT3 | [APT3](https://attack.mitre.org/groups/G0022) has a tool that creates a new service for persistence.(Citation: FireEye Operation Double Tap) |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) created new Windows services and added them to the startup directories for persistence.(Citation: FireEy... |
Associated Software (109)
| ID | Name | Type | Context |
|---|---|---|---|
| S1090 | NightClub | Malware | [NightClub](https://attack.mitre.org/software/S1090) has created a Windows service named `WmdmPmSp` to establish persistence.(Citation: MoustachedBoun... |
| S0604 | Industroyer | Malware | [Industroyer](https://attack.mitre.org/software/S0604) can use an arbitrary system service to load at system boot for persistence and replaces the Ima... |
| S1044 | FunnyDream | Malware | [FunnyDream](https://attack.mitre.org/software/S1044) has established persistence by running `sc.exe` and by setting the `WSearch` service to run auto... |
| S0141 | Winnti for Windows | Malware | [Winnti for Windows](https://attack.mitre.org/software/S0141) sets its DLL file as a new service in the Registry to establish persistence.(Citation: M... |
| S0625 | Cuba | Malware | [Cuba](https://attack.mitre.org/software/S0625) can modify services by using the <code>OpenService</code> and <code>ChangeServiceConfig</code> functio... |
| S0204 | Briba | Malware | [Briba](https://attack.mitre.org/software/S0204) installs a service pointing to a malicious DLL dropped to disk.(Citation: Symantec Briba May 2012) |
| S1033 | DCSrv | Malware | [DCSrv](https://attack.mitre.org/software/S1033) has created new services for persistence by modifying the Registry.(Citation: Checkpoint MosesStaff N... |
| S0612 | WastedLocker | Malware | [WastedLocker](https://attack.mitre.org/software/S0612) created and established a service that runs until the encryption process is complete.(Citation... |
| S0493 | GoldenSpy | Malware | [GoldenSpy](https://attack.mitre.org/software/S0493) has established persistence by running in the background as an autostart service.(Citation: Trust... |
| S0180 | Volgmer | Malware | [Volgmer](https://attack.mitre.org/software/S0180) installs a copy of itself in a randomly selected service, then overwrites the ServiceDLL entry in t... |
| S0149 | MoonWind | Malware | [MoonWind](https://attack.mitre.org/software/S0149) installs itself as a new service with automatic startup to establish persistence. The service chec... |
| S0050 | CosmicDuke | Malware | [CosmicDuke](https://attack.mitre.org/software/S0050) uses Windows services typically named "javamtsup" for persistence.(Citation: F-Secure Cosmicduke... |
| S0012 | PoisonIvy | Malware | [PoisonIvy](https://attack.mitre.org/software/S0012) creates a Registry subkey that registers a new service. [PoisonIvy](https://attack.mitre.org/soft... |
| S1037 | STARWHALE | Malware | [STARWHALE](https://attack.mitre.org/software/S1037) has the ability to create the following Windows service to establish persistence on an infected h... |
| S0230 | ZeroT | Malware | [ZeroT](https://attack.mitre.org/software/S0230) can add a new service to ensure [PlugX](https://attack.mitre.org/software/S0013) persists on the syst... |
| S0666 | Gelsemium | Malware | [Gelsemium](https://attack.mitre.org/software/S0666) can drop itself in `C:\Windows\System32\spool\prtprocs\x64\winprint.dll` as an alternative Print ... |
| S0650 | QakBot | Malware | [QakBot](https://attack.mitre.org/software/S0650) can remotely create a temporary service on a target host.(Citation: NCC Group Black Basta June 2022) |
| S0608 | Conficker | Malware | [Conficker](https://attack.mitre.org/software/S0608) copies itself into the <code>%systemroot%\system32</code> directory and registers as a service.(C... |
| S0342 | GreyEnergy | Malware | [GreyEnergy](https://attack.mitre.org/software/S0342) chooses a service, drops a DLL file, and writes it to that serviceDLL Registry key.(Citation: ES... |
| S0387 | KeyBoy | Malware | [KeyBoy](https://attack.mitre.org/software/S0387) installs a service pointing to a malicious DLL dropped to disk.(Citation: Rapid7 KeyBoy Jun 2013) |
References
- Hardy, T. & Hall, J. (2018, February 15). Use Windows Event Forwarding to help with intrusion detection. Retrieved August 7, 2018.
- Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
- Joshua Wright. (2020, October 13). Retrieved March 22, 2024.
- Joshua Wright. (2020, October 14). Retrieved March 22, 2024.
- Microsoft. (n.d.). Services. Retrieved June 7, 2016.
- Miroshnikov, A. & Hall, J. (2017, April 18). 4697(S): A service was installed in the system. Retrieved August 7, 2018.
- Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.
- Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021.
- Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.
- Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.
Frequently Asked Questions
What is T1543.003 (Windows Service)?
T1543.003 is a MITRE ATT&CK technique named 'Windows Service'. It belongs to the Persistence, Privilege Escalation tactic(s). Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perfor...
How can T1543.003 be detected?
Detection of T1543.003 (Windows Service) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1543.003?
There are 5 documented mitigations for T1543.003. Key mitigations include: Behavior Prevention on Endpoint, Operating System Configuration, Audit, Code Signing, User Account Management.
Which threat groups use T1543.003?
Known threat groups using T1543.003 include: Tropic Trooper, Medusa Group, DarkVishnya, Aquatic Panda, APT38, Lotus Blossom, APT41, Wizard Spider.