CAR-2014-02-001: Service Binary Modifications
Adversaries may modify the binary file for an existing service to achieve Persistence while potentially evading defenses. If a newly created or modified runs as a service, it may indicate APT activity. However, services are frequently installed by legitimate software. A well-tuned baseline is essential to differentiating between benign and malicious service modifications.
Output Description
The Service Name and approximate time in which changes occurred on each host
ATT&CK Detections
| Technique | Subtechnique(s) | Tactic(s) | Level of Coverage |
|---|---|---|---|
| Create or Modify System Process | Windows Service | Persistence, Privilege Escalation | Moderate |
| Hijack Execution Flow | Services File Permissions Weakness | Persistence, Privilege Escalation | Moderate |
| System Services | Service Execution | Execution | Moderate |
D3FEND Techniques
| ID | Name |
|---|---|
| D3-SBV | Service Binary Verification |
Data Model References
| Object | Action | Field |
|---|---|---|
| file | create | file_path |
| file | create | image_path |
| process | create | image_path |
| process | create | parent_exe |
Implementations
Pseudocode
Look for events where a file was created and then later run as a service. In these cases, a new service has been created or the binary has been modified. Many programs, such as msiexec.exe, do these behaviors legitimately and can be used to help validate legitimate service creations/modifications.
legitimate_installers = ["C:\windows\system32\msiexec.exe", "C:\windows\syswow64\msiexec.exe", ...]
file_change = search File:Create,Modify
process = search Process:Create
service_process = filter processes where (parent_exe == "services.exe")
modified_service = join (search, filter) where (
file_change.time < service_process.time and
file_change.file_path == service_process.image_path
)
modified_service = filter modified_service where (modified_service.file_change.image_path not in legitimate_installers)
output modified_service