Description
Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services.(Citation: TechNet Services) On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons)
Adversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect.
Services, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges.(Citation: OSX Malware Detection)
Platforms
Sub-Techniques (5)
Launch Agent
T1543.002Systemd Service
T1543.003Windows Service
T1543.004Launch Daemon
T1543.005Container Service
Mitigations (9)
User Account ManagementM1018
Limit privileges of user accounts and groups so that only authorized administrators can interact with system-level process changes and service configurations.
Behavior Prevention on EndpointM1040
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system.(Citation: Malicious Driver Reporting Center) On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed drivers.(Citation: Microsoft driver block rules)
Limit Software InstallationM1033
Restrict software installation to trusted repositories only and be cautious of orphaned software packages.
Privileged Account ManagementM1026
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.
Operating System ConfigurationM1028
Ensure that Driver Signature Enforcement is enabled to restrict unsigned drivers from being installed.
AuditM1047
Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them.
Software ConfigurationM1054
Where possible, consider enforcing the use of container services in rootless mode to limit the possibility of privilege escalation or malicious effects on the host running the container.
Restrict File and Directory PermissionsM1022
Restrict read/write access to system-level process files to only select privileged users who have a legitimate need to manage system services.
Code SigningM1045
Enforce registration and execution of only legitimately signed service drivers where possible.
Associated Software (7)
| ID | Name | Type | Context |
|---|---|---|---|
| S1152 | IMAPLoader | Malware | [IMAPLoader](https://attack.mitre.org/software/S1152) modifies Windows tasks on the victim machine to reference a retrieved PE file through a path mod... |
| S1194 | Akira _v2 | Malware | [Akira _v2](https://attack.mitre.org/software/S1194) can create a child process for encryption.(Citation: CISA Akira Ransomware APR 2024) |
| S1184 | BOLDMOVE | Malware | [BOLDMOVE](https://attack.mitre.org/software/S1184) can free all resources and terminate itself on victim machines.(Citation: Google Cloud BOLDMOVE 20... |
| S0401 | Exaramel for Linux | Malware | [Exaramel for Linux](https://attack.mitre.org/software/S0401) has a hardcoded location that it uses to achieve persistence if the startup system is Up... |
| S9015 | BRICKSTORM | Malware | [BRICKSTORM](https://attack.mitre.org/software/S9015) has created a new background session and has spawned a child process of a parent process when it... |
| S1121 | LITTLELAMB.WOOLTEA | Malware | [LITTLELAMB.WOOLTEA](https://attack.mitre.org/software/S1121) can initialize itself as a daemon to run persistently in the background.(Citation: Mandi... |
| S1142 | LunarMail | Malware | [LunarMail](https://attack.mitre.org/software/S1142) can create an arbitrary process with a specified command line and redirect its output to a stagin... |
References
- Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017.
- Microsoft. (n.d.). Services. Retrieved June 7, 2016.
- Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved November 17, 2024.
Frequently Asked Questions
What is T1543 (Create or Modify System Process)?
T1543 is a MITRE ATT&CK technique named 'Create or Modify System Process'. It belongs to the Persistence, Privilege Escalation tactic(s). Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform backgroun...
How can T1543 be detected?
Detection of T1543 (Create or Modify System Process) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1543?
There are 9 documented mitigations for T1543. Key mitigations include: User Account Management, Behavior Prevention on Endpoint, Limit Software Installation, Privileged Account Management, Operating System Configuration.
Which threat groups use T1543?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.