New Service

When operating systems boot up, they can start programs or applications called services that perform background system functions. [1] A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry.

Adversaries may install a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry. The service name may be disguised by using a name from a related operating system or benign software with Masquerading. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through Service Execution.

ID: T1050
Tactic: Persistence, Privilege Escalation
Platform: Windows
Permissions Required: Administrator, SYSTEM
Effective Permissions: SYSTEM
Data Sources: Windows Registry, Process monitoring, Process command-line parameters, Windows event logs
CAPEC ID: CAPEC-550
Contributors: Pedro Harrison
Version: 1.0

Procedure Examples

Name Description
APT3

APT3 has a tool that creates a new service for persistence.[65]

APT32

APT32 creates a Windows service to establish persistence.[67][68][69]

AuditCred

AuditCred is installed as a new service on the system.[38]

BlackEnergy

One variant of BlackEnergy creates a new service using either a hard-coded or randomly generated name.[3]

Briba

Briba installs a service pointing to a malicious DLL dropped to disk.[22]

Carbanak

Carbanak malware installs itself as a service to provide persistence and SYSTEM privileges.[62]

Carbon

Carbon establishes persistence by creating a service and naming it based off the operating system version running on the current machine.[42]

Catchamas

Catchamas adds a new service named NetAdapter to establish persistence.[35]

Cobalt Group

Cobalt Group has created new services to establish persistence.[63]

Cobalt Strike

Cobalt Strike can install a new service.[2]

CosmicDuke

CosmicDuke uses Windows services typically named "javamtsup" for persistence.[4]

CozyCar

One persistence mechanism used by CozyCar is to register itself as a Windows service.[9]

Duqu

Duqu creates a new service that loads a malicious driver when the system starts. When Duqu is active, the operating system believes that the driver is legitimate, as it has been signed with a valid private key.[20]

Dyre

Dyre registers itself as a service by adding several Registry keys.[34]

Elise

Elise configures itself as a service.[21]

Emissary

Emissary is capable of configuring itself as a service.[37]

Emotet

Emotet has been observed creating new services to maintain persistence. [57][58]

Exaramel for Windows

The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description "Windows Check AV."[54]

FIN7

FIN7 created new Windows services and added them to the startup directories for persistence.[66]

FinFisher

FinFisher creates a new Windows service with the malicious executable for persistence.[30][31]

gh0st RAT

gh0st RAT can create a new service to establish persistence.[48]

hcdLoader

hcdLoader installs itself as a service for persistence.[12][13]

Hydraq

Hydraq creates new services to establish persistence.[5][6][7]

InnaputRAT

Some InnaputRAT variants create a new Windows service to establish persistence.[8]

JHUHUGIT

JHUHUGIT has registered itself as a service to establish persistence.[32]

Kazuar

Kazuar can install itself as a new service.[29]

Ke3chang

Ke3chang backdoor RoyalDNS established persistence through adding a service called Nwsapagent.[64]

KeyBoy

KeyBoy installs a service pointing to a malicious DLL dropped to disk.[60]

Kimsuky

Kimsuky has created new services for persistence.[74]

Kwampirs

Kwampirs creates a new service named WmiApSrvEx to establish persistence.[17]

Lazarus Group

Several Lazarus Group malware families install themselves as new services on victims.[70][71]

MoonWind

MoonWind installs itself as a new service with automatic startup to establish persistence. The service checks every 60 seconds to determine if the malware is running; if not, it will spawn a new instance.[33]

Naid

Naid creates a new service to establish.[53]

Nerex

Nerex creates a Registry subkey that registers a new service.[16]

Nidiran

Nidiran can create a new service named msamger (Microsoft Security Accounts Manager).[23]

PlugX

PlugX can be added as a service to establish persistence.[44][45][46][24]

PoisonIvy

PoisonIvy creates a Registry subkey that registers a new service.[15]

RawPOS

RawPOS installs itself as a service to maintain persistence.[25][26][27]

Reaver

Reaver installs itself as a new service.[36]

Sakula

Some Sakula samples install themselves as services for persistence by calling WinExec with the net start argument.[11]

Seasalt

Seasalt is capable of installing itself as a service.[39]

Shamoon

Shamoon creates a new service named "ntssrv" to execute the payload.[14]

StreamEx

StreamEx establishes persistence by installing a new service pointing to its DLL and setting the service to auto-start.[51]

TDTESS

If running as administrator, TDTESS installs itself as a new service named bmwappushservice to establish persistence.[41]

Threat Group-3390

A Threat Group-3390 tool can create a new service, naming it after the config information, to gain persistence.[72]

TinyZBot

TinyZBot can install as a Windows service for persistence.[10]

Tropic Trooper

Tropic Trooper installs a service pointing to a malicious DLL dropped to disk.[73]

TYPEFRAME

TYPEFRAME variants can add malicious DLL modules as new services.[40]

Ursnif

Ursnif has registered itself as a system service in the Registry for automatic execution at system startup.[59]

Volgmer

Some Volgmer variants install .dll files as services with names generated by a list of hard-coded strings.[49][50]

WannaCry

WannaCry creates the service "mssecsvc2.0" with the display name "Microsoft Security Center (2.0) Service."[55][56]

Wiarp

Wiarp creates a backdoor through which remote attackers can create a service.[28]

Wingbird

Wingbird uses services.exe to register a new autostart service named "Audit Service" using a copy of the local lsass.exe file.[18][19]

Winnti

Winnti sets its DLL file as a new service in the Registry to establish persistence.[47]

ZeroT

ZeroT can add a new service to ensure PlugX persists on the system when delivered as another payload onto the system.[24]

ZLib

ZLib creates Registry keys to allow itself to run as various services.[43]

zwShell

zwShell has established persistence by adding itself as a new service.[52]

ZxShell

ZxShell can create a new service using the service parser function ProcessScCommand. [61]

Mitigations

Mitigation Description
User Account Management

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new services.

Detection

Monitor service creation through changes in the Registry and common utilities using command-line invocation. Creation of new services may generate an alterable event (ex: Event ID 4697 and/or 7045 [75] [76]). New, benign services may be created during installation of new software. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence. [77] Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.

Monitor processes and command-line arguments for actions that could create services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.

References

  1. Microsoft. (n.d.). Services. Retrieved June 7, 2016.
  2. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.
  3. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  4. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  5. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  6. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  7. Fitzgerald, P. (2010, January 26). How Trojan.Hydraq Stays On Your Computer. Retrieved February 22, 2018.
  8. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  9. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  10. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  11. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  12. Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016.
  13. Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.
  14. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  15. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  16. Ladley, F. (2012, May 15). Backdoor.Nerex. Retrieved February 23, 2018.
  17. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  18. Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.
  19. Microsoft. (2017, November 9). Backdoor:Win32/Wingbird.A!dha. Retrieved November 27, 2017.
  20. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  21. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  22. Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018.
  23. Sponchioni, R.. (2016, March 11). Backdoor.Nidiran. Retrieved August 3, 2016.
  24. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  25. Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017.
  26. TrendLabs Security Intelligence Blog. (2015, April). RawPOS Technical Brief. Retrieved October 4, 2017.
  27. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  28. Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018.
  29. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  30. FinFisher. (n.d.). Retrieved December 20, 2017.
  31. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  32. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  33. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  34. Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.
  35. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018.
  36. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
  37. Falcone, R. and Miller-Osborn, J.. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.
  38. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
  39. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  1. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  2. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  3. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
  4. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  5. Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.
  6. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  7. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  8. Cap, P., et al. (2017, January 25). Detecting threat actors in recent German industrial attacks with Windows Defender ATP. Retrieved February 8, 2017.
  9. Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.
  10. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  11. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.
  12. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  13. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  14. Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018.
  15. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  16. Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
  17. Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
  18. US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019.
  19. Mclellan, M.. (2018, November 19). Lazy Passwords Become Rocket Fuel for Emotet SMB Spreader. Retrieved March 25, 2019.
  20. Trend Micro. (2014, December 11). PE_URSNIF.A2. Retrieved June 5, 2019.
  21. Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.
  22. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  23. Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
  24. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  25. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
  26. Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
  27. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  28. Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.
  29. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  30. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  31. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  32. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
  33. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  34. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  35. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  36. Miroshnikov, A. & Hall, J. (2017, April 18). 4697(S): A service was installed in the system. Retrieved August 7, 2018.
  37. Hardy, T. & Hall, J. (2018, February 15). Use Windows Event Forwarding to help with intrusion detection. Retrieved August 7, 2018.
  38. Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.