New Service

From ATT&CK
Jump to: navigation, search
New Service
Technique
ID T1050
Tactic Persistence, Privilege Escalation
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1
Permissions Required Administrator, SYSTEM
Effective Permissions SYSTEM
Data Sources Windows Registry, Process monitoring, Process command-line parameters
CAPEC ID CAPEC-550

When operating systems boot up, they can start programs or applications called services that perform background system functions.1 A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry.

Adversaries may install a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry. The service name may be disguised by using a name from a related operating system or benign software with Masquerading. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through Service Execution.

Examples

  • Carbanak malware installs itself as a service to provide persistence and SYSTEM privileges.2
  • Several Lazarus Group malware families install themselves as new services on victims.3
  • TinyZBot can install as a Windows service for persistence.4
  • PlugX can add itself as a service to establish persistence.5
  • Duqu creates a new service that loads a malicious driver when the system starts. When Duqu is active, the operating system believes that the driver is legitimate, as it has been signed with a valid private key.6
  • JHUHUGIT has registered itself as a service to establish persistence.7
  • One persistence mechanism used by CozyCar is to register itself as a Windows service.8
  • CosmicDuke uses Windows services typically named "javamtsup" for persistence.9
  • hcdLoader installs itself as a service for persistence.1011
  • Some Sakula samples install themselves as services for persistence by calling WinExec with the net start argument.12
  • Elise configures itself as a service.13
  • Emissary is capable of configuring itself as a service.14
  • ZLib creates Registry keys to allow itself to run as various services.15
  • One variant of BlackEnergy creates a new service using either a hard-coded or randomly generated name.16
  • Nidiran can create a new service named msamger (Microsoft Security Accounts Manager).17
  • Shamoon creates a new service named “ntssrv” to execute the payload.18

Mitigation

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new services.

Identify and block unnecessary system utilities or potentially malicious software that may be used to create services by using whitelisting19 tools, like AppLocker,2021 or Software Restriction Policies22 where appropriate.23

Detection

Monitor service creation through changes in the Registry and common utilities using command-line invocation. New, benign services may be created during installation of new software. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence.24 Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.

Monitor processes and command-line arguments for actions that could create services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.

References