1. Home
  2. Techniques
  3. Enterprise
  4. System Services

System Services

ID Name
T1569.001 Launchctl
T1569.002 Service Execution

Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence (Create or Modify System Process), but adversaries can also abuse services for one-time or temporary execution.

ID: T1569
Sub-techniques:  T1569.001, T1569.002
Tactic: Execution
Platforms: Linux, Windows, macOS
Supports Remote:  Yes
Version: 1.3
Created: 10 March 2020
Last Modified: 20 September 2024
Version Permalink

Procedure Examples

ID Name Description
G0139 TeamTNT

TeamTNT has created system services to execute cryptocurrency mining software.[1]

Mitigations

ID Mitigation Description
M1040 Behavior Prevention on Endpoint

On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by PsExec from running. [2]
M1026 Privileged Account Management

Ensure that permissions disallow services that run at a higher permissions level from being created or interacted with by a user with a lower permission level.
M1022 Restrict File and Directory Permissions

Ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level.
M1018 User Account Management

Prevent users from installing their own launch agents or launch daemons.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor command-line invocations for tools capable of creating or modifying system services (e.g., systemctl on Linux, sc.exe on Windows, launchctl on macOS).

Analytic 1 - Unusual service modification tools.

sourcetype=command_logs| search command IN ("systemctl", "sc", "launchctl")
DS0022 File File Modification

Track changes to critical service-related files (e.g., /etc/systemd/system/, /etc/init.d/, and service binaries on Linux, C:\Windows\System32\services.exe`` on Windows, or/Library/LaunchDaemons``` on macOS).

Analytic 1 - Unusual file modifications related to system services.

sourcetype=file_monitor| search file_path IN ("/etc/systemd/system/", "/etc/init.d/", "/Library/LaunchDaemons/*", "C:\Windows\System32\services.exe")

DS0009 Process Process Creation

Monitor newly executed processes that may abuse system services or daemons to execute commands or programs.

Analytic 1 - New processes abusing system services.

sourcetype=process_logs| search process IN ("services.exe", "systemd", "launchd")

DS0019 Service Service Creation

Track the creation of new services, which could indicate adversarial activity aimed at persistence or execution.

Analytic 1 - Monitors service creation and modification activities

sourcetype=service_logs| search service_action="create" OR service_action="modify"| where user NOT IN ("known_admins") AND service_name NOT IN ("known_services")
DS0024 Windows Registry Windows Registry Key Modification

Monitor for changes made to windows registry keys and/or values that may abuse system services or daemons to execute commands or programs.

Analytic 1 - Malicious service modification

sourcetype= Sysmon EventCode=12| search registry_path="HKLM\SYSTEM\CurrentControlSet\Services\*" | where registry_action="modified" AND user NOT IN ("known_admins")

References

  1. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
  1. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.