System Services

Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services. Many services are set to run at boot, which can aid in achieving persistence (Create or Modify System Process), but adversaries can also abuse services for one-time or temporary execution.

ID: T1569
Sub-techniques:  T1569.001, T1569.002
Tactic: Execution
Platforms: Windows, macOS
Permissions Required: Administrator, SYSTEM, User, root
Data Sources: File monitoring, Process command-line parameters, Process monitoring, Windows Registry
Version: 1.0
Created: 10 March 2020
Last Modified: 08 June 2020

Mitigations

Mitigation Description
Privileged Account Management

Ensure that permissions disallow services that run at a higher permissions level from being created or interacted with by a user with a lower permission level.

Restrict File and Directory Permissions

Ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level.

User Account Management

Prevent users from installing their own launch agents or launch daemons.

Detection

Monitor for command line invocations of tools capable of modifying services that doesn’t correspond to normal usage patterns and known software, patch cycles, etc. Also monitor for changes to executables and other files associated with services. Changes to Windows services may also be reflected in the Registry.