Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)
Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1557 | Adversary-in-the-Middle |
Monitor for newly constructed services/daemons through Windows event logs for event IDs 4697 and 7045. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as remote logins or process creation events. |
|
| .001 | LLMNR/NBT-NS Poisoning and SMB Relay |
Monitor for newly constructed services/daemons through Windows event logs for event IDs 4697 and 7045. [3] Deploy an LLMNR/NBT-NS spoofing detection tool.[4] |
||
| ICS | T0830 | Adversary-in-the-Middle |
Monitor for newly constructed services/daemons through Windows event logs for event IDs 4697 and 7045. |
|
| Enterprise | T1543 | Create or Modify System Process |
Monitor for newly constructed services/daemons that may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. |
|
| .001 | Launch Agent |
Monitor Launch Agent creation through additional plist files and utilities such as Objective-See’s KnockKnock application. |
||
| .002 | Systemd Service |
Monitor for new constructed systemd services to repeatedly execute malicious payloads as part of persistence. |
||
| .003 | Windows Service |
Creation of new services may generate an alterable event (ex: Event ID 4697 and/or 7045 [5][6]), especially those associated with unknown/abnormal drivers. New, benign services may be created during installation of new software. Analytic 1 - Creation of new services with unusual directory paths such as temporal files in APPDATA
|
||
| .004 | Launch Daemon |
Monitor for newly constructed services may create or modify Launch Daemons to execute malicious payloads as part of persistence. |
||
| Enterprise | T1564 | Hide Artifacts |
Monitor for newly constructed services/daemons that may attempt to hide artifacts associated with their behaviors to evade detection. |
|
| .006 | Run Virtual Instance |
Monitor for newly constructed services/daemons that may carry out malicious operations using a virtual instance to avoid detection. Consider monitoring for new Windows Service, with respect to virtualization software. |
||
| Enterprise | T1036 | Masquerading |
Monitor for newly constructed services/daemons that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. |
|
| .004 | Masquerade Task or Service |
Monitor for newly constructed services/daemons. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. |
||
| ICS | T0849 | Masquerading |
Monitor for newly constructed services/daemons that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. |
|
| Enterprise | T1569 | System Services |
Track the creation of new services, which could indicate adversarial activity aimed at persistence or execution. Analytic 1 - Monitors service creation and modification activities
|
|
| .001 | Launchctl |
Monitor the creation or modification of Launch Agents or Launch Daemons via the launchctl command. Analytic 1 - Create Service In Suspicious File Path
|
||
| .002 | Service Execution |
Monitor newly constructed services that abuse control manager to execute malicious commands or payloads. Analytic 1 - Suspicious Service Creation
|
||
Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.
Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1197 | BITS Jobs |
BITS runs as a service and its status can be checked with the Sc query utility ( |
|
| Enterprise | T1574 | Hijack Execution Flow |
Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data. |
|
| .005 | Executable Installer File Permissions Weakness |
Monitor for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques. |
||
| .010 | Services File Permissions Weakness |
Hashing of binaries and service executables could be used to detect replacement against historical data. |
||
| Enterprise | T1562 | Impair Defenses |
Monitor contextual data about a service/daemon, which may include information such as name, service executable, start type that that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. |
|
| .001 | Disable or Modify Tools |
Monitor for telemetry that provides context of security software services being disabled or modified. In cloud environments, monitor virtual machine logs for the status of cloud security agents. Spyware and malware remain a serious problem and Microsoft developed security services, Windows Defender and Windows Firewall, to combat this threat. In the event Windows Defender or Windows Firewall is turned off, administrators should correct the issue immediately to prevent the possibility of infection or further infection and investigate to determine if caused by crash or user manipulation.Note: Windows Event code 7036 from the System log identifies if a service has stopped or started. This analytic looks for "Windows Defender" or "Windows Firewall" that has stopped. Analytic 1 - User Activity from Stopping Windows Defensive Services
|
||
| Enterprise | T1490 | Inhibit System Recovery |
Monitor the status of services involved in system recovery. Note: For Windows, Event ID 7040 can be used to alert on changes to the start type of a service (e.g., going from enabled at startup to disabled) associated with system recovery. |
|
| Enterprise | T1036 | Masquerading |
Monitor for contextual data about a service/daemon, which may include information such as name, service executable, start type, etc. |
|
| .004 | Masquerade Task or Service |
Monitor for changes made to services for unexpected modifications to names, descriptions, and/or start types |
||
| Enterprise | T1021 | .006 | Remote Services: Windows Remote Management |
Monitor use of WinRM within an environment by tracking service execution. If it is not normally used or is disabled, then this may be an indicator of suspicious behavior. |
| Enterprise | T1489 | Service Stop |
Alterations to the service binary path or the service startup type changed to disabled may be suspicious. |
|
| ICS | T0881 | Service Stop |
Alterations to the service binary path or the service startup type changed to disabled may be suspicious. |
|
Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs)
Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1543 | Create or Modify System Process |
Monitor for changes to system processes that do not correlate with known software, patch cycles, etc., including by comparing results against a trusted system baseline. |
|
| .001 | Launch Agent |
Monitor for changes made to launch agents to repeatedly execute malicious payloads as part of persistence. |
||
| .002 | Systemd Service |
Analyze the contents of |
||
| .003 | Windows Service |
Monitor for changes made to Windows services to repeatedly execute malicious payloads as part of persistence. |
||
| .004 | Launch Daemon |
Monitor services for changes made to Launch Daemons to execute malicious payloads as part of persistence. |
||
| Enterprise | T1574 | .011 | Hijack Execution Flow: Services Registry Permissions Weakness |
Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. |
| ICS | T0849 | Masquerading |
Monitor for changes made to services that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. |
|