Adversaries may modify the binary file for an existing service to achieve Persistence while potentially evading defenses. If a newly created or modified runs as a service, it may indicate APT activity. However, services are frequently installed by legitimate software. A well-tuned baseline is essential to differentiating between benign and malicious service modifications.
The Service Name and approximate time in which changes occurred on each host
|Technique||Tactic||Level of Coverage|
|New Service||Persistence, Privilege Escalation||Moderate|
|Modify Existing Service||Persistence|
|File System Permissions Weakness||Persistence, Privilege Escalation||Moderate|
|Service Execution||Execution, Privilege Escalation||Moderate|
Look for events where a file was created and then later run as a service. In these cases, a new service has been created or the binary has been modified. Many programs, such
msiexec.exe, do these behaviors legitimately and can be used to help validate legitimate service creations/modifications.
legitimate_installers = ["C:\windows\system32\msiexec.exe", "C:\windows\syswow64\msiexec.exe", ...] file_change = search File:Create,Modify process = search Process:Create service_process = filter processes where (parent_exe == "services.exe") modified_service = join (search, filter) where ( file_change.time < service_process.time and file_change.file_path == service_process.image_path ) modified_service = filter modified_service where (modified_service.file_change.image_path not in legitimate_installers) output modified_service