T1569 System Services
Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence (Create or Modify System Process), but adversaries can also abuse services for one-time or temporary execution.
Item | Value |
---|---|
ID | T1569 |
Sub-techniques | T1569.001, T1569.002 |
Tactics | TA0002 |
Platforms | Linux, Windows, macOS |
Permissions required | Administrator, SYSTEM, User, root |
Version | 1.2 |
Created | 10 March 2020 |
Last Modified | 22 March 2022 |
Procedure Examples
ID | Name | Description |
---|---|---|
G0139 | TeamTNT | TeamTNT has created system services to execute cryptocurrency mining software.2 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1040 | Behavior Prevention on Endpoint | On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by PsExec from running. 1 |
M1026 | Privileged Account Management | Ensure that permissions disallow services that run at a higher permissions level from being created or interacted with by a user with a lower permission level. |
M1022 | Restrict File and Directory Permissions | Ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level. |
M1018 | User Account Management | Prevent users from installing their own launch agents or launch daemons. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Modification |
DS0009 | Process | Process Creation |
DS0019 | Service | Service Creation |
DS0024 | Windows Registry | Windows Registry Key Modification |