Adversaries may modify the binary file for an existing service to achieve Persistence while potentially evading defenses. If a newly created or modified runs as a service, it may indicate APT activity. However, services are frequently installed by legitimate software. A well-tuned baseline is essential to differentiating between benign and malicious service modifications.

Output Description

The Service Name and approximate time in which changes occurred on each host

ATT&CK Detections

Technique Subtechnique(s) Tactic(s) Level of Coverage
Create or Modify System Process Windows Service Persistence, Privilege Escalation Moderate
Hijack Execution Flow Services File Permissions Weakness Persistence, Privilege Escalation Moderate
System Services Service Execution Execution Moderate

D3FEND Techniques

ID Name
D3-SBV Service Binary Verification

Data Model References

Object Action Field
file create file_path
file create image_path
process create image_path
process create parent_exe

Implementations

Pseudocode

Look for events where a file was created and then later run as a service. In these cases, a new service has been created or the binary has been modified. Many programs, such as msiexec.exe, do these behaviors legitimately and can be used to help validate legitimate service creations/modifications.

legitimate_installers = ["C:\windows\system32\msiexec.exe", "C:\windows\syswow64\msiexec.exe", ...]

file_change = search File:Create,Modify
process = search Process:Create
service_process = filter processes where (parent_exe == "services.exe")
modified_service = join (search, filter) where (
 file_change.time < service_process.time and
 file_change.file_path == service_process.image_path
)

modified_service = filter modified_service where (modified_service.file_change.image_path not in legitimate_installers)
output modified_service