Adversaries may modify the binary file for an existing service to achieve Persistence while potentially evading defenses. If a newly created or modified runs as a service, it may indicate APT activity. However, services are frequently installed by legitimate software. A well-tuned baseline is essential to differentiating between benign and malicious service modifications.

Output Description

The Service Name and approximate time in which changes occurred on each host

ATT&CK Detection

Technique Tactic Level of Coverage
New Service Persistence, Privilege Escalation Moderate
Modify Existing Service Persistence  
File System Permissions Weakness Persistence, Privilege Escalation Moderate
Service Execution Execution, Privilege Escalation Moderate

Pseudocode

Look for events where a file was created and then later run as a service. In these cases, a new service has been created or the binary has been modified. Many programs, such msiexec.exe, do these behaviors legitimately and can be used to help validate legitimate service creations/modifications.

legitimate_installers = ["C:\windows\system32\msiexec.exe", "C:\windows\syswow64\msiexec.exe", ...]

file_change = search File:Create,Modify
process = search Process:Create
service_process = filter processes where (parent_exe == "services.exe")
modified_service = join (search, filter) where (
 file_change.time < service_process.time and 
 file_change.file_path == service_process.image_path
)

modified_service = filter modified_service where (modified_service.file_change.image_path not in legitimate_installers)
output modified_service

Data Model References

|Object|Action|Field| |—|—|—| | file | create | file_path | | file | create | image_path | | process | create | image_path | | process | create | parent_exe |