Create or Modify System Process

Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. [1] On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters.[2]

Adversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect.

Services, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges. [3].

ID: T1543
Sub-techniques:  T1543.001, T1543.002, T1543.003, T1543.004
Tactics: Persistence, Privilege Escalation
Platforms: Linux, Windows, macOS
Data Sources: Command: Command Execution, File: File Creation, File: File Modification, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Version: 1.0
Created: 10 January 2020
Last Modified: 09 October 2020

Procedure Examples

ID Name Description
S0401 Exaramel for Linux

Exaramel for Linux has a hardcoded location that it uses to achieve persistence if the startup system is Upstart or System V and it is running as root.[4]

S0512 FatDuke

FatDuke has the ability to create a process.[5]

S0051 MiniDuke

MiniDuke can create a process on a compromised host.[5]

Mitigations

ID Mitigation Description
M1047 Audit

Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them.

M1033 Limit Software Installation

Restrict software installation to trusted repositories only and be cautious of orphaned software packages.

M1022 Restrict File and Directory Permissions

Restrict read/write access to system-level process files to only select privileged users who have a legitimate need to manage system services.

M1018 User Account Management

Limit privileges of user accounts and groups so that only authorized administrators can interact with system-level process changes and service configurations.

Detection

Monitor for changes to system processes that do not correlate with known software, patch cycles, etc., including by comparing results against a trusted system baseline. New, benign system processes may be created during installation of new software. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

Command-line invocation of tools capable of modifying services may be unusual, depending on how systems are typically used in a particular environment. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques.

Monitor for changes to files associated with system-level processes.

References