T1543 Create or Modify System Process
Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services.2 On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters.1
Adversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect.
Services, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges.3
| Item | Value |
|---|---|
| ID | T1543 |
| Sub-techniques | T1543.001, T1543.002, T1543.003, T1543.004, T1543.005 |
| Tactics | TA0003, TA0004 |
| Platforms | Containers, Linux, Windows, macOS |
| Version | 1.2 |
| Created | 10 January 2020 |
| Last Modified | 24 October 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1194 | Akira _v2 | |
| Akira _v2 can create a child process for encryption.7 | ||
| S1184 | BOLDMOVE | BOLDMOVE can free all resources and terminate itself on victim machines.8 |
| S0401 | Exaramel for Linux | Exaramel for Linux has a hardcoded location that it uses to achieve persistence if the startup system is Upstart or System V and it is running as root.9 |
| S1152 | IMAPLoader | IMAPLoader modifies Windows tasks on the victim machine to reference a retrieved PE file through a path modification.6 |
| S1121 | LITTLELAMB.WOOLTEA | LITTLELAMB.WOOLTEA can initialize itself as a daemon to run persistently in the background.10 |
| S1142 | LunarMail | LunarMail can create an arbitrary process with a specified command line and redirect its output to a staging directory.11 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit | Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them. |
| M1040 | Behavior Prevention on Endpoint | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system.4 On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed drivers.5 |
| M1045 | Code Signing | Enforce registration and execution of only legitimately signed service drivers where possible. |
| M1033 | Limit Software Installation | Restrict software installation to trusted repositories only and be cautious of orphaned software packages. |
| M1028 | Operating System Configuration | Ensure that Driver Signature Enforcement is enabled to restrict unsigned drivers from being installed. |
| M1026 | Privileged Account Management | Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
| M1022 | Restrict File and Directory Permissions | Restrict read/write access to system-level process files to only select privileged users who have a legitimate need to manage system services. |
| M1054 | Software Configuration | Where possible, consider enforcing the use of container services in rootless mode to limit the possibility of privilege escalation or malicious effects on the host running the container. |
| M1018 | User Account Management | Limit privileges of user accounts and groups so that only authorized administrators can interact with system-level process changes and service configurations. |
References
-
Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017. ↩
-
Patrick Wardle. (2016, February 29). Let’s Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved November 17, 2024. ↩
-
Azure Edge and Platform Security Team & Microsoft 365 Defender Research Team. (2021, December 8). Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center. Retrieved April 6, 2022. ↩
-
Jordan Geurten et al. . (2022, March 29). Microsoft recommended driver block rules. Retrieved April 7, 2022. ↩
-
PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024. ↩
-
CISA et al. (2024, April 18). #StopRansomware: Akira Ransomware. Retrieved December 10, 2024. ↩
-
Scott Henderson, Cristiana Kittner, Sarah Hawley & Mark Lechtik, Google Cloud. (2023, January 19). Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475). Retrieved December 31, 2024. ↩
-
ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021. ↩
-
Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024. ↩
-
Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024. ↩