Skip to content

T1543 Create or Modify System Process

Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services.2 On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters.1

Adversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect.

Services, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges.3

Item Value
ID T1543
Sub-techniques T1543.001, T1543.002, T1543.003, T1543.004
Tactics TA0003, TA0004
Platforms Linux, Windows, macOS
Version 1.1
Created 10 January 2020
Last Modified 20 April 2022

Procedure Examples

ID Name Description
S0401 Exaramel for Linux Exaramel for Linux has a hardcoded location that it uses to achieve persistence if the startup system is Upstart or System V and it is running as root.6

Mitigations

ID Mitigation Description
M1047 Audit Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them.
M1040 Behavior Prevention on Endpoint On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system.4 On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed drivers.5
M1045 Code Signing Enforce registration and execution of only legitimately signed service drivers where possible.
M1033 Limit Software Installation Restrict software installation to trusted repositories only and be cautious of orphaned software packages.
M1028 Operating System Configuration Ensure that Driver Signature Enforcement is enabled to restrict unsigned drivers from being installed.
M1022 Restrict File and Directory Permissions Restrict read/write access to system-level process files to only select privileged users who have a legitimate need to manage system services.
M1018 User Account Management Limit privileges of user accounts and groups so that only authorized administrators can interact with system-level process changes and service configurations.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0027 Driver Driver Load
DS0022 File File Creation
DS0009 Process OS API Execution
DS0019 Service Service Creation
DS0024 Windows Registry Windows Registry Key Creation

References