Service

A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in[1][2]

ID: DS0019
Platforms: Linux, Windows, macOS
Collection Layer: Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 30 March 2022

Data Components

Service: Service Creation

Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)

Service: Service Creation

Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)

Domain ID Name Detects
Enterprise T1557 Adversary-in-the-Middle

Monitor for newly constructed services/daemons through Windows event logs for event IDs 4697 and 7045. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as remote logins or process creation events.

.001 LLMNR/NBT-NS Poisoning and SMB Relay

Monitor for newly constructed services/daemons through Windows event logs for event IDs 4697 and 7045. [3] Deploy an LLMNR/NBT-NS spoofing detection tool.[4]

ICS T0830 Adversary-in-the-Middle

Monitor for newly constructed services/daemons through Windows event logs for event IDs 4697 and 7045.

Enterprise T1543 Create or Modify System Process

Monitor for newly constructed services/daemons that may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence.

.001 Launch Agent

Monitor Launch Agent creation through additional plist files and utilities such as Objective-See’s KnockKnock application.

.002 Systemd Service

Monitor for new constructed systemd services to repeatedly execute malicious payloads as part of persistence.

.003 Windows Service

Creation of new services may generate an alterable event (ex: Event ID 4697 and/or 7045 [5][6]), especially those associated with unknown/abnormal drivers. New, benign services may be created during installation of new software.

Analytic 1 : Creation of new services with unusual directory paths such as temporal files in APPDATA

suspicious_services = filter ServiceName, ServiceFilePath, ServiceType, ServiceStartType, ServiceAccountName where (event_id == "7045" OR event_id == "4697") AND (ServiceFilePath LIKE '%APPDATA%' OR ServiceImagePath LIKE '%PUBLIC%')

.004 Launch Daemon

Monitor for newly constructed services may create or modify Launch Daemons to execute malicious payloads as part of persistence.

Enterprise T1564 Hide Artifacts

Monitor for newly constructed services/daemons that may attempt to hide artifacts associated with their behaviors to evade detection.

.006 Run Virtual Instance

Monitor for newly constructed services/daemons that may carry out malicious operations using a virtual instance to avoid detection. Consider monitoring for new Windows Service, with respect to virtualization software.

Enterprise T1036 Masquerading

Monitor for newly constructed services/daemons that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.

.004 Masquerade Task or Service

Monitor for newly constructed services/daemons. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

ICS T0849 Masquerading

Monitor for newly constructed services/daemons that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.

Enterprise T1569 System Services

Monitor for newly constructed services/daemons to execute commands or programs.

.001 Launchctl

Monitor for newly constructed services/daemons to execute commands or programs.

.002 Service Execution

Monitor newly constructed services that abuse control manager to execute malicious commands or payloads.

Service: Service Metadata

Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.

Service: Service Metadata

Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.

Domain ID Name Detects
Enterprise T1197 BITS Jobs

BITS runs as a service and its status can be checked with the Sc query utility (sc query bits).[7]

Enterprise T1574 Hijack Execution Flow

Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.

.005 Executable Installer File Permissions Weakness

Monitor for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques.

.010 Services File Permissions Weakness

Hashing of binaries and service executables could be used to detect replacement against historical data.

Enterprise T1562 Impair Defenses

Monitor contextual data about a service/daemon, which may include information such as name, service executable, start type that that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.

.001 Disable or Modify Tools

Monitor for telemetry that provides context of security software services being disabled or modified. In cloud environments, monitor virtual machine logs for the status of cloud security agents. Spyware and malware remain a serious problem and Microsoft developed security services, Windows Defender and Windows Firewall, to combat this threat. In the event Windows Defender or Windows Firewall is turned off, administrators should correct the issue immediately to prevent the possibility of infection or further infection and investigate to determine if caused by crash or user manipulation.Note: Stopping services events are Windows Event Code 7036.

Analytic 1 - User Activity from Stopping Windows Defensive Services

log_name == "System" ANDevent_code == "7036"param1 in ["Windows Defender", "Windows Firewall"] ANDparam2 == "stopped"

Enterprise T1490 Inhibit System Recovery

Monitor the status of services involved in system recovery.

Note: For Windows, Event ID 7040 can be used to alert on changes to the start type of a service (e.g., going from enabled at startup to disabled) associated with system recovery.

Enterprise T1036 Masquerading

Monitor for contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.

.004 Masquerade Task or Service

Monitor for changes made to services for unexpected modifications to names, descriptions, and/or start types

Enterprise T1021 .006 Remote Services: Windows Remote Management

Monitor use of WinRM within an environment by tracking service execution. If it is not normally used or is disabled, then this may be an indicator of suspicious behavior.

Enterprise T1489 Service Stop

Alterations to the service binary path or the service startup type changed to disabled may be suspicious.

ICS T0881 Service Stop

Alterations to the service binary path or the service startup type changed to disabled may be suspicious.

Service: Service Modification

Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs)

Service: Service Modification

Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs)

Domain ID Name Detects
Enterprise T1543 Create or Modify System Process

Monitor for changes to system processes that do not correlate with known software, patch cycles, etc., including by comparing results against a trusted system baseline.

.001 Launch Agent

Monitor for changes made to launch agents to repeatedly execute malicious payloads as part of persistence.

.002 Systemd Service

Analyze the contents of .service files present on the file system and ensure that they refer to legitimate, expected executables.

.003 Windows Service

Monitor for changes made to Windows services to repeatedly execute malicious payloads as part of persistence.

Analytic 1 : System services via registry modifications

suspicious_processes = filter ProcessGuid, ProcessFilePath, RegistryKeyPath, UserName where event_id == "13" AND EventType == "SetValue" AND RegistryKeyPath LIKE '%HKLM\System\CurrentControlSet\Services\%' AND (RegistryKeyPath LIKE '%ImagePath%' OR RegistryKeyPath LIKE '%Type%' OR RegistryKeyPath LIKE '%DisplayName%' OR RegistryKeyPath LIKE '%Objectname%')

.004 Launch Daemon

Monitor services for changes made to Launch Daemons to execute malicious payloads as part of persistence.

Enterprise T1574 .011 Hijack Execution Flow: Services Registry Permissions Weakness

Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity.

ICS T0849 Masquerading

Monitor for changes made to services that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.

References