Detect Windows Service in Microsoft Sentinel
Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence or privilege escalation. Windows services run under SYSTEM privileges by default, making them attractive targets for privilege escalation as well. Adversaries use sc.exe, PowerShell, direct Registry modification, or native Windows API calls (CreateServiceW, ZwLoadDriver) to install malicious services. Techniques include: creating new services pointing to malicious executables or DLLs, hijacking existing service ImagePath registry values, installing malicious kernel drivers for rootkit capabilities, loading signed-but-vulnerable drivers (BYOVD - Bring Your Own Vulnerable Driver), and hiding services using sc sdset with restrictive SDDL permissions. Real-world usage includes NightClub (WmdmPmSp service), Industroyer (hijacked legitimate service ImagePath), Volgmer (overwrote ServiceDLL), CosmicDuke (javamtsup service), Cuba ransomware (OpenService/ChangeServiceConfig API), and FunnyDream (WSearch service modification).
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1543 Create or Modify System Process
- Sub-technique
- T1543.003 Windows Service
- Canonical reference
- https://attack.mitre.org/techniques/T1543/003/
KQL Detection Query
let SuspiciousServicePaths = dynamic([
"\\Temp\\", "\\tmp\\", "\\AppData\\", "\\Users\\Public\\",
"\\ProgramData\\", "\\Downloads\\", "\\Desktop\\",
"%temp%", "%tmp%", "%appdata%", "%userprofile%",
"C:\\Windows\\Temp\\", "C:\\Temp\\"
]);
let SuspiciousExtensions = dynamic([".bat", ".vbs", ".ps1", ".cmd", ".js"]);
let KnownAdminTools = dynamic(["MSSQLSERVER", "SQLSERVERAGENT", "RemoteRegistry", "W3SVC"]);
// Detection 1: New service installation via Event ID 7045 (System log)
let NewServiceInstall = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4697
| extend ServiceName = tostring(EventData.ServiceName)
| extend ServiceFilePath = tostring(EventData.ServiceFileName)
| extend ServiceType = tostring(EventData.ServiceType)
| extend ServiceStartType = tostring(EventData.ServiceStartType)
| extend ServiceAccount = tostring(EventData.ServiceAccount)
| where ServiceFilePath has_any (SuspiciousServicePaths)
or ServiceFilePath matches regex @"(?i)\.(bat|vbs|ps1|cmd|js)\s*$"
or ServiceFilePath has "cmd /c"
or ServiceFilePath has "powershell"
or ServiceFilePath has "\\\\" // UNC network path
| extend DetectionReason = case(
ServiceFilePath has_any (SuspiciousServicePaths), "Service binary in suspicious path",
ServiceFilePath has "cmd /c", "Service binary uses cmd interpreter",
ServiceFilePath has "powershell", "Service binary uses PowerShell",
ServiceFilePath has "\\\\\\\\", "Service binary on network share",
"Suspicious extension in service path"
)
| project TimeGenerated, Computer, SubjectUserName, SubjectDomainName, ServiceName, ServiceFilePath, ServiceType, ServiceStartType, ServiceAccount, DetectionReason;
// Detection 2: sc.exe service creation or modification
let ScExeServiceCreation = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "sc.exe"
| where ProcessCommandLine has_any ("create ", "config ", "sdset ", "failure ")
| extend IsCreate = ProcessCommandLine has "create "
| extend IsConfig = ProcessCommandLine has "config "
| extend IsSdset = ProcessCommandLine has "sdset " // Hidden service SDDL
| extend IsFailure = ProcessCommandLine has "failure " // Persistence via recovery commands
| extend HasBinPath = ProcessCommandLine has "binpath="
| extend BinPathValue = extract(@"(?i)binpath=\s*([\"']?[^\"']+[\"']?)", 1, ProcessCommandLine)
| extend IsSuspiciousPath = BinPathValue has_any (SuspiciousServicePaths)
or BinPathValue has "cmd /c"
or BinPathValue has "powershell"
or BinPathValue has "\\\\\\\\"
| where IsCreate or IsConfig or IsSdset or IsFailure
| extend DetectionReason = case(
IsSdset, "sc sdset used to potentially hide service from enumeration",
IsFailure and (ProcessCommandLine has "command=" or ProcessCommandLine has "run="), "Service failure recovery command set — possible persistence",
IsSuspiciousPath, "Service binary path in suspicious location",
IsCreate and HasBinPath, "New service creation with explicit binary path",
IsConfig, "Existing service configuration modified",
"sc.exe service manipulation"
)
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName,
InitiatingProcessCommandLine, IsCreate, IsConfig, IsSdset, BinPathValue, DetectionReason;
// Detection 3: Registry-based service creation (bypassing sc.exe)
let RegistryServiceCreate = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey matches regex @"(?i)HKEY_LOCAL_MACHINE\\SYSTEM\\(CurrentControlSet|ControlSet001|ControlSet002)\\Services\\"
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryValueName in~ ("ImagePath", "ServiceDLL", "Start", "Type", "ObjectName")
| extend ServiceName = extract(@"(?i)Services\\([^\\]+)", 1, RegistryKey)
| extend NewValue = tostring(RegistryValueData)
| extend IsImagePath = RegistryValueName =~ "ImagePath"
| extend IsServiceDLL = RegistryValueName =~ "ServiceDLL"
| extend IsSuspiciousValue = NewValue has_any (SuspiciousServicePaths)
or NewValue has "cmd /c"
or NewValue has "powershell"
| where not (InitiatingProcessFileName in~ ("services.exe", "msiexec.exe", "TrustedInstaller.exe", "svchost.exe"))
and (IsImagePath or IsServiceDLL or IsSuspiciousValue)
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, NewValue,
ServiceName, InitiatingProcessFileName, InitiatingProcessCommandLine, IsSuspiciousValue;
union NewServiceInstall, ScExeServiceCreation, RegistryServiceCreate
| sort by TimeGenerated desc, Timestamp descMulti-signal detection for Windows service creation and modification abuse (T1543.003). Covers three vectors: (1) Security Event ID 4697 for new service installation with suspicious binary paths including temp directories, user-writable locations, and interpreter-based services; (2) sc.exe process execution with create/config/sdset/failure subcommands, extracting the binpath value and checking for suspicious locations; (3) Direct registry modification of HKLM\SYSTEM\CurrentControlSet\Services ImagePath and ServiceDLL values by non-service-installer processes. Detects real-world TTPs from NightClub, Industroyer, Volgmer, Cuba ransomware, and FunnyDream campaigns.
Data Sources
Required Tables
False Positives & Tuning
- Software installers legitimately creating new services during application installation (MSI packages, third-party software)
- System administrators manually creating or reconfiguring services for maintenance or troubleshooting using sc.exe
- Configuration management tools (SCCM, Chef, Puppet, Ansible) modifying service configurations as part of desired state enforcement
- Endpoint security products and monitoring agents installing their own services during deployment
- Windows Update and TrustedInstaller modifying existing service ImagePath values during OS updates
Other platforms for T1543.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Malicious Service with sc.exe Pointing to Temp Directory
Expected signal: Security Event ID 4697: new service 'WindowsUpdateSvc' with ServiceFileName 'C:\Windows\Temp\svchost_update.exe'. System Event ID 7045 with same details. Sysmon Event ID 1: sc.exe with CommandLine containing 'create', 'WindowsUpdateSvc', and 'C:\Windows\Temp\svchost_update.exe'. Sysmon Event ID 11: file creation event for svchost_update.exe in C:\Windows\Temp.
- Test 2Service Creation Using PowerShell as Service Binary (Interpreter-Based Service)
Expected signal: Security Event ID 4697: new service 'DiagnosticService' with ServiceFileName containing 'powershell.exe'. System Event ID 7045 with same. Sysmon Event ID 1: sc.exe CommandLine containing 'create', 'DiagnosticService', and 'powershell.exe'. KQL DeviceRegistryEvents: new key under HKLM\SYSTEM\CurrentControlSet\Services\DiagnosticService with ImagePath value containing 'powershell.exe'.
- Test 3Hijack Existing Service ImagePath via Registry Modification
Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject = 'HKLM\SYSTEM\CurrentControlSet\Services\Fax\ImagePath', Details = 'C:\Windows\Temp\payload.exe', Image = reg.exe. Sysmon Event ID 1: reg.exe process creation with CommandLine containing 'add' and 'Services\Fax'. No Event 4697 or 7045 fires — this detection gap is exactly why the registry-based detection vector is required.
- Test 4Hide Service from Enumeration Using sc sdset (SDDL Manipulation)
Expected signal: Sysmon Event ID 1: two sc.exe executions — first with 'create MicrosoftUpdate' in CommandLine, second with 'sdset MicrosoftUpdate' and the SDDL string. Security Event ID 4697 for the initial service creation. System Event ID 7045. After sdset, running 'Get-Service MicrosoftUpdate' will return an error; 'sc query MicrosoftUpdate' will return 'FAILED 5'. The service remains visible in the registry at HKLM\SYSTEM\CurrentControlSet\Services\MicrosoftUpdate.
References (13)
- https://attack.mitre.org/techniques/T1543/003/
- https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697
- https://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection
- https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
- https://www.sans.org/blog/defense-spotlight-finding-windows-services/
- https://technet.microsoft.com/en-us/library/cc772408.aspx
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md
- https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
- https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf
- https://unit42.paloaltonetworks.com/acidbox-rare-malware/
- https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/
- https://www.welivesecurity.com/2023/08/10/moustachedbouncer-espionage-against-diplomats-in-belarus/
- https://loldrivers.io/
Unlock Pro Content
Get the full detection package for T1543.003 including response playbook, investigation guide, and atomic red team tests.