Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Adversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API.
Adversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex:
.sys) to disk, the payload can be loaded and registered via Native API functions such as
CreateServiceW() (or manually via functions such as
ZwSetValueKey()), by creating the required service Registry values (i.e. Modify Registry), or by using command-line utilities such as
PnPUtil.exe. Adversaries may leverage these drivers as Rootkits to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as "Bring Your Own Vulnerable Driver" (BYOVD)) as part of Exploitation for Privilege Escalation.
Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through Service Execution. To make detection analysis more challenging, malicious services may also incorporate Masquerade Task or Service (ex: using a service and/or payload name related to a legitimate OS or benign software component).
Duqu creates a new service that loads a malicious driver when the system starts. When Duqu is active, the operating system believes that the driver is legitimate, as it has been signed with a valid private key.
|S0343||Exaramel for Windows|
MoonWind installs itself as a new service with automatic startup to establish persistence. The service checks every 60 seconds to determine if the malware is running; if not, it will spawn a new instance.
STARWHALE has the ability to create the following Windows service to establish persistence on an infected host:
Volgmer installs a copy of itself in a randomly selected service, then overwrites the ServiceDLL entry in the service's Registry entry. Some Volgmer variants also install .dll files as services with names generated by a list of hard-coded strings.
|S0141||Winnti for Windows|
Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them.
|M1040||Behavior Prevention on Endpoint||
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system. On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed service drivers.
Enforce registration and execution of only legitimately signed service drivers where possible.
|M1028||Operating System Configuration||
Ensure that Driver Signature Enforcement is enabled to restrict unsigned drivers from being installed.
|M1018||User Account Management||
Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations.
|ID||Data Source||Data Component||Detects|
Monitor processes and command-line arguments for actions that could create or modify services. Command-line invocation of tools capable of adding or modifying services may be unusual, depending on how systems are typically used in a particular environment. Services may also be modified through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data. Also collect service utility execution and service binary path arguments used for analysis. Service binary paths may even be changed to execute commands or scripts.
Monitor for new service driver installations and loads (ex: Sysmon Event ID 6) that are not part of known software update/patch cycles.
|DS0009||Process||OS API Execution||
Monitor for API calls that may create or modify Windows services (ex:
Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
Creation of new services may generate an alterable event (ex: Event ID 4697 and/or 7045 ), especially those associated with unknown/abnormal drivers. New, benign services may be created during installation of new software.
Monitor for changes made to Windows services to repeatedly execute malicious payloads as part of persistence.
|DS0024||Windows Registry||Windows Registry Key Creation||
Monitor for new constructed windows registry keys that may create or modify Windows services to repeatedly execute malicious payloads as part of persistence.
|Windows Registry Key Modification||
Look for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Service information is stored in the Registry at