Detect Windows Service in CrowdStrike LogScale
Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence or privilege escalation. Windows services run under SYSTEM privileges by default, making them attractive targets for privilege escalation as well. Adversaries use sc.exe, PowerShell, direct Registry modification, or native Windows API calls (CreateServiceW, ZwLoadDriver) to install malicious services. Techniques include: creating new services pointing to malicious executables or DLLs, hijacking existing service ImagePath registry values, installing malicious kernel drivers for rootkit capabilities, loading signed-but-vulnerable drivers (BYOVD - Bring Your Own Vulnerable Driver), and hiding services using sc sdset with restrictive SDDL permissions. Real-world usage includes NightClub (WmdmPmSp service), Industroyer (hijacked legitimate service ImagePath), Volgmer (overwrote ServiceDLL), CosmicDuke (javamtsup service), Cuba ransomware (OpenService/ChangeServiceConfig API), and FunnyDream (WSearch service modification).
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1543 Create or Modify System Process
- Sub-technique
- T1543.003 Windows Service
- Canonical reference
- https://attack.mitre.org/techniques/T1543/003/
LogScale Detection Query
#event_simpleName = "ServiceInstalled"
| (ServiceImagePath = /(\Temp\|\AppData\|\Users\Public\|\ProgramData\)/i
OR ServiceImagePath = /(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe)/i
OR ServiceImagePath = /\.(bat|vbs|ps1|cmd|scr)$/i)
| eval risk = case {
ServiceImagePath = /(cmd\.exe|powershell\.exe|pwsh\.exe)/i : "critical";
ServiceImagePath = /(\Temp\|\AppData\)/i : "high";
* : "medium"
}
| table timestamp, ComputerName, UserName, ServiceDisplayName, ServiceImagePath, ServiceType, risk
| sort by timestamp descDetects malicious Windows service installation with suspicious binary paths via CrowdStrike Falcon.
Data Sources
Required Tables
False Positives & Tuning
- Software installers legitimately creating new services during application installation (MSI packages, third-party software)
- System administrators manually creating or reconfiguring services for maintenance or troubleshooting using sc.exe
- Configuration management tools (SCCM, Chef, Puppet, Ansible) modifying service configurations as part of desired state enforcement
- Endpoint security products and monitoring agents installing their own services during deployment
- Windows Update and TrustedInstaller modifying existing service ImagePath values during OS updates
Other platforms for T1543.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Malicious Service with sc.exe Pointing to Temp Directory
Expected signal: Security Event ID 4697: new service 'WindowsUpdateSvc' with ServiceFileName 'C:\Windows\Temp\svchost_update.exe'. System Event ID 7045 with same details. Sysmon Event ID 1: sc.exe with CommandLine containing 'create', 'WindowsUpdateSvc', and 'C:\Windows\Temp\svchost_update.exe'. Sysmon Event ID 11: file creation event for svchost_update.exe in C:\Windows\Temp.
- Test 2Service Creation Using PowerShell as Service Binary (Interpreter-Based Service)
Expected signal: Security Event ID 4697: new service 'DiagnosticService' with ServiceFileName containing 'powershell.exe'. System Event ID 7045 with same. Sysmon Event ID 1: sc.exe CommandLine containing 'create', 'DiagnosticService', and 'powershell.exe'. KQL DeviceRegistryEvents: new key under HKLM\SYSTEM\CurrentControlSet\Services\DiagnosticService with ImagePath value containing 'powershell.exe'.
- Test 3Hijack Existing Service ImagePath via Registry Modification
Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject = 'HKLM\SYSTEM\CurrentControlSet\Services\Fax\ImagePath', Details = 'C:\Windows\Temp\payload.exe', Image = reg.exe. Sysmon Event ID 1: reg.exe process creation with CommandLine containing 'add' and 'Services\Fax'. No Event 4697 or 7045 fires — this detection gap is exactly why the registry-based detection vector is required.
- Test 4Hide Service from Enumeration Using sc sdset (SDDL Manipulation)
Expected signal: Sysmon Event ID 1: two sc.exe executions — first with 'create MicrosoftUpdate' in CommandLine, second with 'sdset MicrosoftUpdate' and the SDDL string. Security Event ID 4697 for the initial service creation. System Event ID 7045. After sdset, running 'Get-Service MicrosoftUpdate' will return an error; 'sc query MicrosoftUpdate' will return 'FAILED 5'. The service remains visible in the registry at HKLM\SYSTEM\CurrentControlSet\Services\MicrosoftUpdate.
References (13)
- https://attack.mitre.org/techniques/T1543/003/
- https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697
- https://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection
- https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
- https://www.sans.org/blog/defense-spotlight-finding-windows-services/
- https://technet.microsoft.com/en-us/library/cc772408.aspx
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md
- https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
- https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf
- https://unit42.paloaltonetworks.com/acidbox-rare-malware/
- https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/
- https://www.welivesecurity.com/2023/08/10/moustachedbouncer-espionage-against-diplomats-in-belarus/
- https://loldrivers.io/
Unlock Pro Content
Get the full detection package for T1543.003 including response playbook, investigation guide, and atomic red team tests.