Create or Modify System Process T1543
Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters.
Events covered
24 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 135 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (66 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (6494 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (144 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 78 rules
- Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
- Atomic MacOS Stealer - Persistence Indicators
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- CodeIntegrity - Blocked Driver Load With Revoked Certificate
- CodeIntegrity - Blocked Image/Driver Load For Policy Violation
- CosmicDuke Service Installation
- Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
- Devcon Execution Disabling VMware VMCI Device
- Driver Load From A Temporary Directory
- EAP service activation by Liontail framework for DLL sideloading (via command)
- Encoded PowerShell payload deployed via service
- Impacket SMBexec service creation (registry)
- Impacket SMBexec service registration (native)
- KrbRelayUp Service Installation
- LiteLLM / TeamPCP Supply Chain Attack Indicators
- Malicious Driver Load
- Malicious Driver Load By Name
- Mimikatz driver deployed via service
- Mimikatz driver registration (Reg via Sysmon)
- Moriya Rootkit - System
- Moriya Rootkit File Created
- New Kernel Driver Via SC.EXE
- New PDQDeploy Service - Client Side
- New PDQDeploy Service - Server Side
- New Service Creation Using PowerShell
- New Service Creation Using Sc.EXE
- OilRig APT Activity
- OilRig APT Registry Persistence
- OilRig APT Schedule Task Persistence - Security
- OilRig APT Schedule Task Persistence - System
- Possible impact of 'SMOKEDHAM backdoor' with MSDTC service privilege escalation via command line
- Potential CobaltStrike Service Installations - Registry
- Potential Persistence Attempt Via Existing Service Tampering
- ProcessHacker Privilege Elevation
- PSEXEC Remote Execution File Artefact
- PSexec service installation
- PUA - Kernel Driver Utility (KDU) Execution
- PUA - Process Hacker Driver Load
- PUA - Process Hacker Execution
- PUA - System Informer Driver Load
- PUA - System Informer Execution
- RDP session hijack via service creation abuse
- Remote Access Tool Services Have Been Installed - Security
- Remote Access Tool Services Have Been Installed - System
- Service abuse with backdoored "command failure" (Reg via command)
- Service abuse with backdoored "command failure" (Reg via PowerShell)
- Service abuse with backdoored "command failure" (service)
- Service abuse with malicious ImagePath (Reg via PowerShell)
- Service abuse with malicious ImagePath (service)
- Service creation (command)
- Service creation (PowerShell)
- Service Installation in Suspicious Folder
- Service Installation with Suspicious Folder Pattern
- Service Installed By Unusual Client - Security
- Service Installed By Unusual Client - System
- Service permissions hijacked for privileges abuse (PowerShell)
- Service permissions hijacked for privileges abuse (reg via command)
- Service permissions hijacked for privileges abuse (Reg via PowerShell)
- Service permissions hijacked for privileges abuse (service)
- ServiceDll Hijack
- Sliver C2 Default Service Installation
- StoneDrill Service Install
- Suspicious New Service Creation
- Suspicious Service DACL Modification Via Set-Service Cmdlet
- Suspicious Service Installation
- Suspicious Service Installation Script
- Suspicious Service Path Modification
- Sysinternals PsService Execution
- Sysinternals PsSuspend Execution
- TeamPCP LiteLLM Supply Chain Attack Persistence Indicators
- Turla PNG Dropper Service
- Turla Service Install
- Uncommon Service Installation Image Path
- Vulnerable Driver Load
- Vulnerable Driver Load By Name
- Vulnerable HackSys Extreme Vulnerable Driver Load
- Vulnerable WinRing0 Driver Load
Elastic 17 rules
- Network Logon Provider Registry Modification
- Persistence via Update Orchestrator Service Hijack
- Persistence via WMI Standard Registry Provider
- Potential Privilege Escalation via Service ImagePath Modification
- Remote Windows Service Installed
- Service Command Lateral Movement
- Service Control Spawned via Script Interpreter
- Service Creation via Local Kerberos Authentication
- Service DACL Modification via sc.exe
- Service Path Modification
- Suspicious ImagePath Service Creation
- Suspicious ScreenConnect Client Child Process
- Suspicious Service was Installed in the System
- System Shells via Services
- Unsigned DLL Loaded by Svchost
- Unusual Persistence via Services Registry
- Windows Service Installed via an Unusual Client
Splunk 34 rules
- Clop Ransomware Known Service Name
- CMD Echo Pipe - Escalation
- Driver Loaded from Unusual Path - Windows (Sysmon)
- Impacket Lateral Movement Commandline Parameters
- Impacket Lateral Movement smbexec CommandLine Parameters
- Impacket Lateral Movement WMIExec Commandline Parameters
- Kernel Service Installed - Windows (Windows Event Log)
- LLM Model File Creation
- Possible Lateral Movement PowerShell Spawn
- PSexec Service Creation (Windows Event Log)
- Randomly Generated Windows Service Name
- Service Installed (Windows Event Log)
- Services LOLBAS Execution Process Spawn
- SimpleHelp Remote Access Tool Service Installation (Windows Event Log)
- Suspicious .sys Created - Windows (Sysmon)
- Suspicious PlistBuddy Usage
- Windows Bluetooth Service Installed From Uncommon Location
- Windows KrbRelayUp Service Creation
- Windows Local LLM Framework Execution
- Windows Process Execution in Temp Dir
- Windows Remote Create Service
- Windows Service Create Kernel Mode Driver
- Windows Service Create RemComSvc
- Windows Service Create with Tscon
- Windows Service Created (Sysmon)
- Windows Service Created (Windows Event Log)
- Windows Service Creation on Remote Endpoint
- Windows Service Initiation on Remote Endpoint
- Windows Suspicious Driver Loaded Path
- Windows Suspicious Process File Path
- Windows Vulnerable Driver Installed
- Windows Vulnerable Driver Loaded
- Wscript Or Cscript Suspicious Child Process
- XMRIG Driver Loaded
Kusto 5 rules
- COM Event System Loading New DLL
- Powershell Empire Cmdlets Executed in Command Line
- Rare Process as a Service
- SUNBURST suspicious SolarWinds child processes (Normalized Process Events)
- TEARDROP memory-only dropper