Create or Modify System Process T1543

Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters.

Events covered

24 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 3Network connection
SysmonEvent ID 5Process terminated
SysmonEvent ID 6Driver loaded
SysmonEvent ID 7Image loaded
SysmonEvent ID 11FileCreate
SysmonEvent ID 12RegistryEvent (Object create and delete)
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 14RegistryEvent (Key and Value Rename)
Security-AuditingEvent ID 4624An account was successfully logged on.
Security-AuditingEvent ID 4674An operation was attempted on a privileged object.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 4689A process has exited.
Security-AuditingEvent ID 4697A service was installed in the system.
Security-AuditingEvent ID 4698A scheduled task was created.
Defender-DeviceEventsanyDefender event (any)
Defender-DeviceProcessEventsanyProcess activity (any)
CodeIntegrityEvent ID 3023The driver FileNameBuffer is blocked from loading as the driver has been revoked by Microsoft.
CodeIntegrityEvent ID 3077Code Integrity determined that a process (Process Name) attempted to load File Name that did not meet the Requested Signing Level signing level requirements or violated code integrity p...
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
PowerShellEvent ID 800Event ID 800
Service-Control-ManagerEvent ID 7036The Microsoft Software Shadow Copy Provider service entered the stopped state.
Service-Control-ManagerEvent ID 7045A service was installed in the system.

Authoring guide

Patterns shared across the 135 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (66 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine36contains 29, in 4, match 3, regex_match 3, starts_with 2, eq 1create, binpath, config, (?i)cmd\.exe\s+\/Q\s+\/c, (?i)sc(\.exe)?\s(.+)?create\s
Image30ends_with 26, contains 5, eq 3, in 1\sc.exe, /curl, /python3, \reg.exe, *:\\windows\\cursors\\*
ServiceName21eq 13, contains 4, in 2, starts_with 2KrbSCM, ammyyadmin, atera, BTOBTO, Bluetooth Service
process_name20eq 16, in 4, ends_with 1sc.exe, cmd.exe, certutil.exe, powershell.exe, \services.exe
EventID19eq 197045, 6, 4688, 4697, 1
OriginalFileName18eq 17, in 1sc.exe, cmd.exe, devcon.exe, gpt4all.exe, hamakaze.exe
Provider_Name17eq 17Service Control Manager
ImagePath14contains 9, match 2, regex_match 2, ends_with 1, in 1, starts_with 1 -c , -e, -k , -nop , -r
event.type12eq 12change, start
ImageLoaded10ends_with 7, contains 1, in 1, starts_with 1*:\\windows\\cursors\\*, *:\\windows\\prefetch\\*, *\\appdata\\*, ?:\$recycle.bin\, ?:\amd\temp\
TargetObject10wildcard 5, contains 3, ends_with 2, starts_with 1*\system\controlset*\services\*\imagepath, \currentcontrolset\services\btobto\, \parameters\servicedll, \registry\machine\software\microsoft\windows\currentversi..., \registry\machine\software\microsoft\windows\currentversion\run\*
parent_process_name9eq 6, in 3, contains 1services.exe, svchost.exe, ScreenConnect.ClientService.exe, ScreenConnect.WindowsBackstageShell.exe, ScreenConnect.WindowsClient.exe
Hashes8contains 8imphash=01aa65221a48929f0a34a27c4e3011b1, imphash=021fd02a8adad420116496b6f2759960, imphash=0262d4147f21d681f8519ab2af79283f, imphash=0265c50548889ffd5c2d3a2539885efe, imphash=04de0ad9c37eb7bd52043d2ecac958df
Channel6eq 6, in 6
EventData6contains 6, regex_match 1-itemproperty, \system\currentcontrolset\services\, -encodedcommand, \\SYSTEM\\CurrentControlSet\\Services\\.*\\Security, failurecommand

Top indicator values (6494 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
Provider_Nameeq
Service Control Manager
1750
Imageends_with
\sc.exe
1230
EventIDeq
7045
1120
EventIDeq
6
45
OriginalFileNameeq
sc.exe
926
process_nameeq
sc.exe
927
process_nameeq
cmd.exe
675
CommandLinecontains
create
723
CommandLinecontains
binpath
56
CommandLinecontains
config
515
CommandLinecontains
sdset
35
CommandLinecontains
-binarypathname
22
CommandLinecontains
;ba
22
CommandLinecontains
;iu
22
CommandLinecontains
;su
22
CommandLinecontains
;sy
22
CommandLinecontains
;wd
22
CommandLinecontains
\\\\\\\\
23
CommandLinecontains
\appdata\local\temp
28
CommandLinecontains
\desktop\
213
CommandLinecontains
\downloads\
214
event.typeeq
change
646
event.typeeq
start
6241
EventDatacontains
-itemproperty
35
EventTypeeq
service-installed
33
Payloadcontains
-itemproperty
35
ScriptBlockTextcontains
-itemproperty
35
process.argseq
create
34
registry_value_nameeq
ImagePath
35
ClientProcessIdeq
0
23

Exclusions (144 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
Imagewildcard
?:\program files (x86)\*.exe
2
Imagewildcard
?:\program files\*.exe
2
Imagewildcard
?:\windows\system32\services.exe
2
ServiceFileNamewildcard
%SystemRoot%\pbpsdeploy.exe
2
ServiceFileNamewildcard
?:\Windows\VeeamLogShipper\VeeamLogShipper.exe
2
user.ideq
S-1-5-18
2
CommandLinecontains
binpath= system32\drivers\netprotection_network_filter
1
CommandLinecontains
c:\\windows\\ccm\\
1
CommandLinecontains
create avelam binpath=c:\windows\system32\drivers\avelam.sys
1
CommandLinecontains
create netprotection_network_filter
1
CommandLinecontains
displayname= netprotection_network_filter
1
CommandLinecontains
group= pnp_tdi tag= yes
1
CommandLinecontains
type= kernel start=
1
CommandLinecontains
type=kernel start=boot error=critical group=early-launch
1
DLLeq
known_dlls
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 78 rules

Elastic 17 rules

Splunk 34 rules

Kusto 5 rules

YARA-L 1 rule