ATT&CK coverage › Technique

Create or Modify System Process `T1543`

Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters.

Events covered

13 catalog events are tagged with this technique by at least one rule.

Provider	Event ID	Title
Sysmon	1	Process creation
Sysmon	5	Process terminated
Sysmon	6	Driver loaded
Sysmon	7	Image loaded
Sysmon	11	FileCreate
Security-Auditing	4624	An account was successfully logged on.
Security-Auditing	4688	A new process has been created.
Security-Auditing	4689	A process has exited.
Security-Auditing	4697	A service was installed in the system.
Defender-DeviceEvents	9007000	Defender event (any)
CodeIntegrity	3023	The driver FileNameBuffer is blocked from loading as the driver has been revoked by Microsoft.
CodeIntegrity	3077	Code Integrity determined that a process (Process Name) attempted to load File Name that did not meet the Requested Signing Level signing level requirements or violated code integrity p...
Service-Control-Manager	7045	A service was installed in the system.

Authoring guide

Patterns shared across the 18 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (30 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`Hashes`	4	`match` 4	`IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0`, `IMPHASH=F86759BB4DE4320918615DC06E998A39`, `IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18`, `SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D...`, `SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D`
`EventType`	3	`eq` 3	`service-installed`, `logged-in`
`Image`	3	`ends_with` 3, `match` 1	`\\svchost.exe`, `\ProcessHacker_`, `\ProcessHacker.exe`, `\SystemInformer.exe`
`event.outcome`	2	`eq` 2	`success`
`LogonType`	2	`eq` 2	`Network`
`source.ip`	2	`ne` 1, `cidr_match` 1	`::1`, `127.0.0.1`, `127.0.0.0/8`
`process_id`	2	`eq` 2	`0`
`ClientProcessId`	2	`eq` 2	`0`
`parent_process_id`	2	`eq` 2	`0`
`EventID`	2	`eq` 2	`7`, `7045`
`ServiceName`	2	`eq` 1, `in` 1	`KrbSCM`, `"SecurityCenterIBM"`, `"WinCheckDRVs"`
`ImageLoaded`	2	`ends_with` 2	`\kprocesshacker.sys`, `\SystemInformer.sys`
`Product`	2	`eq` 2	`Process Hacker`, `System Informer`
`Description`	2	`eq` 2	`Process Hacker`, `System Informer`
`OriginalFileName`	2	`eq` 2	`ProcessHacker.exe`, `Process Hacker`, `SystemInformer.exe`

Top indicator values (113 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

Field	Kind	Value	Rules (here)	Corpus reach
`EventType`	`eq`	`service-installed`	3	2
`EventType`	`eq`	`logged-in`	2	7
`LogonType`	`eq`	`Network`	2	4
`event.outcome`	`eq`	`success`	2	8
`process_id`	`eq`	`0`	2	2
`ClientProcessId`	`eq`	`0`	2	2
`parent_process_id`	`eq`	`0`	2	2
`source.ip`	`ne`	`::1`	1	7
`source.ip`	`ne`	`127.0.0.1`	1	8
`source.ip`	`cidr_match`	`127.0.0.0/8`	1
`ElevatedToken`	`eq`	`%%1843`	1
`source.ip`	`cidr_match`	`::1`	1
`AuthenticationPackageName`	`eq`	`Kerberos`	1	2
`ServiceFileName`	`match`	`vssadmin`	1
`ImagePath`	`match`	`cmd.exe`	1
`ServiceFileName`	`match`	`rundll32`	1	2
`ServiceFileName`	`match`	`bitsadmin`	1
`ServiceFileName`	`match`	`\Users\`	1
`ServiceFileName`	`match`	`COMSPEC`	1
`ImagePath`	`match`	`vssadmin`	1

Common exclusions (46 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

Field	Kind	Value	Rules excluding
`ServiceFileName`	`wildcard`	`?:\Windows\VeeamVssSupport\VeeamGuestHelper.exe`	2
`ServiceFileName`	`wildcard`	`?:\Windows\VeeamLogShipper\VeeamLogShipper.exe`	2
`ServiceFileName`	`wildcard`	`%SystemRoot%\pbpsdeploy.exe`	2
`ServiceFileName`	`wildcard`	`?:\Windows\System32\wbem\WmiApSrv.exe`	1
`ServiceFileName`	`wildcard`	`?:\Pella Corporation\Pella Order Management\GPAutoSvc.exe`	1
`ServiceFileName`	`wildcard`	`?:\Windows\System32\upfc.exe`	1
`ServiceFileName`	`wildcard`	`?:\Windows\AdminArsenal\PDQ*.exe`	1
`ServiceFileName`	`wildcard`	`?:\WINDOWS\RemoteAuditService.exe`	1
`ServiceFileName`	`wildcard`	`?:\Program Files (x86)\*.exe`	1
`ServiceFileName`	`wildcard`	`?:\Windows\System32\sppsvc.exe`	1
`ServiceFileName`	`wildcard`	`?:\Windows\System32\vds.exe`	1
`ServiceFileName`	`wildcard`	`?:\Windows\System32\VSSVC.exe`	1
`ServiceFileName`	`wildcard`	`?:\Windows\System32\taskhostex.exe`	1
`ServiceFileName`	`wildcard`	`?:\Windows\System32\svchost.exe`	1
`ServiceFileName`	`wildcard`	`?:\Windows\servicing\TrustedInstaller.exe`	1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 9 rules

CodeIntegrity - Blocked Driver Load With Revoked Certificate severity high, 1 event, 0 indicators, 0 exclusions
CodeIntegrity - Blocked Image/Driver Load For Policy Violation severity high, 1 event, 0 indicators, 0 exclusions
KrbRelayUp Service Installation severity high, 1 event, 1 indicator, 0 exclusions
PUA - Process Hacker Driver Load severity high, 1 event, 5 indicators, 0 exclusions
PUA - Process Hacker Execution severity medium, 1 event, 14 indicators, 0 exclusions
PUA - System Informer Driver Load severity medium, 1 event, 14 indicators, 0 exclusions
PUA - System Informer Execution severity medium, 1 event, 8 indicators, 0 exclusions
Service Installed By Unusual Client - Security severity high, 1 event, 2 indicators, 0 exclusions
Service Installed By Unusual Client - System severity high, 1 event, 2 indicators, 0 exclusions

Elastic 4 rules

Remote Windows Service Installed 2 events, 6 indicators, 2 exclusions
Service Creation via Local Kerberos Authentication 2 events, 9 indicators, 0 exclusions
Suspicious Service was Installed in the System 2 events, 40 indicators, 2 exclusions
Windows Service Installed via an Unusual Client 1 event, 4 indicators, 1 exclusion

Splunk 2 rules

Clop Ransomware Known Service Name 1 event, 3 indicators, 0 exclusions
LLM Model File Creation 1 event, 4 indicators, 0 exclusions

Kusto Query Language 3 rules

COM Event System Loading New DLL 2 events, 5 indicators, 1 exclusion
SUNBURST suspicious SolarWinds child processes (Normalized Process Events) 4 events, 1 indicator, 1 exclusion
TEARDROP memory-only dropper 1 event, 3 indicators, 0 exclusions

Create or Modify System Process T1543