detection.wiki

ATT&CK coverage › Technique

Create or Modify System Process: Windows Service T1543.003

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.

Events covered

9 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon6Driver loaded
Sysmon11FileCreate
Sysmon13RegistryEvent (Value Set)
Security-Auditing4624An account was successfully logged on.
Security-Auditing4688A new process has been created.
Security-Auditing4697A service was installed in the system.
Service-Control-Manager7036The Microsoft Software Shadow Copy Provider service entered the stopped state.
Service-Control-Manager7045A service was installed in the system.

Authoring guide

Patterns shared across the 50 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (30 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Image12ends_with 12, eq 1\sc.exe, \devcon.exe, \kdu.exe, \hamakaze.exe, C:\Windows\system32\lsass.exe
Provider_Name12eq 12Service Control Manager
ImagePath11match 8, regex_match 2, starts_with 1, in 1vssadmin, certmgr, \PerfLogs\, .exe, %COMSPEC%
CommandLine11match 11;SY, ;SU, wscript, A;, ;WD
ServiceName11eq 6, starts_with 2, match 2, in 1TeamViewer, RPCPerformanceService, ZzNetSvc, PDQDeployRunner-, PDQ Deploy
EventID8eq 87045, 6
OriginalFileName7eq 7sc.exe, DevCon.exe, hamakaze.exe, pwsh.dll, psservice.exe
ImageLoaded7ends_with 4, match 1, in 1, eq 1\Temp\, \fur.sys, \daxin_blank2.sys, \gftkyj64.sys, \ene.sys
Hashes4match 4MD5=5129d8fd53d6a4aba81657ab2aa5d243, SHA1=4dd86ff6f7180abebcb92e556a486abe7132754c, SHA1=e0b263f2d9c08f27c6edf5a25aa67a65c88692b0, IMPHASH=45acfe4a83f61d872fb904a1f08ef991, MD5=3ab94fba7196e84a97e83b15f7bcb270
EventType3eq 3service-installed, logged-in
event.outcome2eq 2success
LogonType2eq 2Network
source.ip2ne 1, cidr_match 1::1, 127.0.0.1, 127.0.0.0/8
ServiceFileName2match 2vssadmin, certmgr, \PerfLogs\, .exe, %COMSPEC%
ParentImage2eq 1, starts_with 1, ends_with 1C:\Hexnode\Hexnode Agent\Current\HexnodeAgent.exe, C:\Program Files\Dropbox\Client\, C:\Program Files (x86)\Dropbox\Client\, \Dropbox.exe

Top indicator values (5856 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
Provider_NameeqService Control Manager1243
Imageends_with\sc.exe617
EventIDeq7045512
EventTypeeqservice-installed32
ImagePathmatchpowershell35
CommandLinematchbinPath34
CommandLinematchcreate38
EventIDeq634
EventTypeeqlogged-in27
LogonTypeeqNetwork24
event.outcomeeqsuccess28
ImagePathmatchrundll3223
ServiceFileNamematchpowershell24
ImagePathmatchregsvr322
CommandLinematch;SU22
CommandLinematch;SY22
CommandLinematch;IU22
CommandLinematch;BA22
CommandLinematchsdset24
CommandLinematch;WD22

Common exclusions (44 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

FieldKindValueRules excluding
ServiceFileNamewildcard?:\Windows\VeeamVssSupport\VeeamGuestHelper.exe2
ServiceFileNamewildcard?:\Windows\VeeamLogShipper\VeeamLogShipper.exe2
ServiceFileNamewildcard%SystemRoot%\pbpsdeploy.exe2
ServiceFileNamewildcard?:\Windows\System32\wbem\WmiApSrv.exe1
ServiceFileNamewildcard?:\Pella Corporation\Pella Order Management\GPAutoSvc.exe1
ServiceFileNamewildcard?:\Windows\System32\upfc.exe1
ServiceFileNamewildcard?:\Windows\AdminArsenal\PDQ*.exe1
ServiceFileNamewildcard?:\WINDOWS\RemoteAuditService.exe1
ServiceFileNamewildcard?:\Program Files (x86)\*.exe1
ServiceFileNamewildcard?:\Windows\System32\sppsvc.exe1
ServiceFileNamewildcard?:\Windows\System32\vds.exe1
ServiceFileNamewildcard?:\Windows\System32\VSSVC.exe1
ServiceFileNamewildcard?:\Windows\System32\taskhostex.exe1
ServiceFileNamewildcard?:\Windows\System32\svchost.exe1
ServiceFileNamewildcard?:\Windows\servicing\TrustedInstaller.exe1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 37 rules

Elastic 4 rules

Splunk 8 rules

Kusto Query Language 1 rule