DS0019 Service
A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in12
| Item | Value |
|---|---|
| ID | DS0019 |
| Platforms | Linux, Windows, macOS |
| Collection Layers | Host |
| Version | 1.0 |
| Created | 20 October 2021 |
| Last Modified | 30 March 2022 |
Data Components
Service Creation
Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)
| Domain | ID | Name |
|---|---|---|
| enterprise | T1557 | Adversary-in-the-Middle |
| enterprise | T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay |
| ics | T0830 | Adversary-in-the-Middle |
| enterprise | T1543 | Create or Modify System Process |
| enterprise | T1543.001 | Launch Agent |
| enterprise | T1543.002 | Systemd Service |
| enterprise | T1543.003 | Windows Service |
| enterprise | T1543.004 | Launch Daemon |
| enterprise | T1564 | Hide Artifacts |
| enterprise | T1564.006 | Run Virtual Instance |
| enterprise | T1036 | Masquerading |
| enterprise | T1036.004 | Masquerade Task or Service |
| ics | T0849 | Masquerading |
| enterprise | T1569 | System Services |
| enterprise | T1569.001 | Launchctl |
| enterprise | T1569.002 | Service Execution |
Service Metadata
Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.
| Domain | ID | Name |
|---|---|---|
| enterprise | T1197 | BITS Jobs |
| enterprise | T1574 | Hijack Execution Flow |
| enterprise | T1574.005 | Executable Installer File Permissions Weakness |
| enterprise | T1574.010 | Services File Permissions Weakness |
| enterprise | T1562 | Impair Defenses |
| enterprise | T1562.001 | Disable or Modify Tools |
| enterprise | T1490 | Inhibit System Recovery |
| enterprise | T1036 | Masquerading |
| enterprise | T1036.004 | Masquerade Task or Service |
| enterprise | T1021 | Remote Services |
| enterprise | T1021.006 | Windows Remote Management |
| enterprise | T1489 | Service Stop |
| ics | T0881 | Service Stop |
Service Modification
Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs)
| Domain | ID | Name |
|---|---|---|
| enterprise | T1543 | Create or Modify System Process |
| enterprise | T1543.001 | Launch Agent |
| enterprise | T1543.002 | Systemd Service |
| enterprise | T1543.003 | Windows Service |
| enterprise | T1543.004 | Launch Daemon |
| enterprise | T1574 | Hijack Execution Flow |
| enterprise | T1574.011 | Services Registry Permissions Weakness |
| ics | T0849 | Masquerading |
References
-
Microsoft. (2017, March 30). Introduction to Windows Service Applications. Retrieved September 28, 2021. ↩
-
The Linux Foundation. (2006, January 11). An introduction to services, runlevels, and rc.d scripts. Retrieved September 28, 2021. ↩
-
Microsoft. (2011, July 19). Issues with BITS. Retrieved January 12, 2018. ↩
-
Hardy, T. & Hall, J. (2018, February 15). Use Windows Event Forwarding to help with intrusion detection. Retrieved August 7, 2018. ↩
-
Miroshnikov, A. & Hall, J. (2017, April 18). 4697(S): A service was installed in the system. Retrieved August 7, 2018. ↩
-
Kuehn, E. (2018, April 11). Ever Run a Relay? Why SMB Relays Should Be On Your Mind. Retrieved February 7, 2019. ↩
-
Robertson, K. (2016, August 28). Conveigh. Retrieved November 17, 2017. ↩