T1543.003 Splunk · SPL

Detect Windows Service in Splunk

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence or privilege escalation. Windows services run under SYSTEM privileges by default, making them attractive targets for privilege escalation as well. Adversaries use sc.exe, PowerShell, direct Registry modification, or native Windows API calls (CreateServiceW, ZwLoadDriver) to install malicious services. Techniques include: creating new services pointing to malicious executables or DLLs, hijacking existing service ImagePath registry values, installing malicious kernel drivers for rootkit capabilities, loading signed-but-vulnerable drivers (BYOVD - Bring Your Own Vulnerable Driver), and hiding services using sc sdset with restrictive SDDL permissions. Real-world usage includes NightClub (WmdmPmSp service), Industroyer (hijacked legitimate service ImagePath), Volgmer (overwrote ServiceDLL), CosmicDuke (javamtsup service), Cuba ransomware (OpenService/ChangeServiceConfig API), and FunnyDream (WSearch service modification).

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1543 Create or Modify System Process
Sub-technique
T1543.003 Windows Service
Canonical reference
https://attack.mitre.org/techniques/T1543/003/

SPL Detection Query

Splunk (SPL)
spl 
| union
[
  search index=wineventlog (sourcetype="WinEventLog:System" EventCode=7045)
  | eval ServiceName=ServiceName, ServiceFileName=ServiceFileName, ServiceType=ServiceType, ServiceStartType=StartType, ServiceAccount=AccountName
  | eval SuspiciousPath=if(
      match(lower(ServiceFileName), "\\\\temp\\\\|\\\\tmp\\\\|\\\\appdata\\\\|\\\\users\\\\public\\\\|\\\\programdata\\\\|\\\\downloads\\\\|\\\\desktop\\\\|c:\\\\temp\\\\"),
      1, 0)
  | eval InterpreterService=if(
      match(lower(ServiceFileName), "cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|\.bat\b|\.vbs\b|\.ps1\b"),
      1, 0)
  | eval NetworkPath=if(match(ServiceFileName, "^\\\\\\\\"), 1, 0)
  | eval SuspicionScore=SuspiciousPath + InterpreterService + NetworkPath
  | where SuspicionScore > 0
  | eval DetectionVector="Event 7045 New Service Install"
  | table _time, host, ServiceName, ServiceFileName, ServiceType, ServiceStartType, ServiceAccount, SuspiciousPath, InterpreterService, NetworkPath, SuspicionScore, DetectionVector
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\sc.exe")
    (CommandLine="* create *" OR CommandLine="* config *" OR CommandLine="* sdset *" OR CommandLine="* failure *")
  | eval IsCreate=if(match(CommandLine, "(?i)\\bsc(\.exe)?\s+create\s"), 1, 0)
  | eval IsConfig=if(match(CommandLine, "(?i)\\bsc(\.exe)?\s+config\s"), 1, 0)
  | eval IsSdset=if(match(CommandLine, "(?i)\\bsc(\.exe)?\s+sdset\s"), 1, 0)
  | eval IsFailure=if(match(CommandLine, "(?i)\\bsc(\.exe)?\s+failure\s"), 1, 0)
  | rex field=CommandLine "(?i)binpath=\s*(?P<BinPathValue>[^\s]+)"
  | eval SuspiciousPath=if(
      match(lower(BinPathValue), "\\\\temp\\\\|\\\\tmp\\\\|\\\\appdata\\\\|\\\\users\\\\public\\\\|\\\\programdata\\\\|c:\\\\temp\\\\"),
      1, 0)
  | eval InterpreterInPath=if(
      match(lower(BinPathValue), "cmd\.exe|powershell\.exe|mshta\.exe|\.bat\b|\.vbs\b|\.ps1\b"),
      1, 0)
  | eval HiddenService=IsSdset
  | eval SuspicionScore=SuspiciousPath + InterpreterInPath + HiddenService + IsFailure
  | eval DetectionVector="Sysmon sc.exe Service Manipulation"
  | table _time, host, User, CommandLine, ParentImage, BinPathValue, IsCreate, IsConfig, IsSdset, IsFailure, SuspiciousPath, InterpreterInPath, SuspicionScore, DetectionVector
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=12 OR EventCode=13 OR EventCode=14)
    TargetObject="*\\SYSTEM\\*ControlSet*\\Services\\*"
    (TargetObject="*\\ImagePath" OR TargetObject="*\\ServiceDLL" OR TargetObject="*\\Start")
    NOT (Image="*\\services.exe" OR Image="*\\msiexec.exe" OR Image="*\\TrustedInstaller.exe" OR Image="*\\svchost.exe")
  | eval IsImagePath=if(match(TargetObject, "(?i)ImagePath$"), 1, 0)
  | eval IsServiceDLL=if(match(TargetObject, "(?i)ServiceDLL$"), 1, 0)
  | rex field=TargetObject "(?i)Services\\\\(?P<ServiceName>[^\\\\]+)"
  | eval SuspiciousValue=if(
      match(lower(Details), "\\\\temp\\\\|\\\\appdata\\\\|\\\\users\\\\public\\\\|cmd\.exe|powershell\.exe|\.bat\b|\.ps1\b"),
      1, 0)
  | eval SuspicionScore=IsImagePath + IsServiceDLL + SuspiciousValue
  | eval DetectionVector="Sysmon Registry Service Key Modification"
  | table _time, host, User, Image, CommandLine, TargetObject, ServiceName, Details, IsImagePath, IsServiceDLL, SuspiciousValue, SuspicionScore, DetectionVector
]
| sort - _time
| where SuspicionScore > 0
high severity high confidence

Multi-vector SPL detection for Windows service abuse (T1543.003) combining three data sources: (1) Windows System Event 7045 (new service installed) monitoring binary paths for temp directories, user-writable locations, and interpreter-based launchers; (2) Sysmon Event ID 1 for sc.exe process creation with create/config/sdset/failure subcommands, extracting and evaluating the binpath value; (3) Sysmon Registry Events (12/13/14) monitoring HKLM\SYSTEM\CurrentControlSet\Services ImagePath and ServiceDLL modifications by non-trusted processes. All three branches assign a SuspicionScore and are unioned for unified analysis.

Data Sources

Service: Service CreationProcess: Process CreationWindows Registry: Windows Registry Key ModificationSysmon Event ID 1Sysmon Event ID 12Sysmon Event ID 13Windows System Event ID 7045

Required Sourcetypes

WinEventLog:SystemXmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Software installation packages (MSI, NSIS, Inno Setup) creating services in ProgramData or non-standard locations during install
  • IT automation frameworks (Ansible, Chef, Puppet, SCCM) reconfiguring service ImagePath values as part of configuration enforcement
  • Security tools and EDR agents creating their own services during deployment
  • Developers and system administrators testing service configurations in non-standard paths
  • Backup and monitoring software that installs driver-based services pointing to legitimate sys files in vendor directories
Download portable Sigma rule (.yml)

Other platforms for T1543.003

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Malicious Service with sc.exe Pointing to Temp Directory

    Expected signal: Security Event ID 4697: new service 'WindowsUpdateSvc' with ServiceFileName 'C:\Windows\Temp\svchost_update.exe'. System Event ID 7045 with same details. Sysmon Event ID 1: sc.exe with CommandLine containing 'create', 'WindowsUpdateSvc', and 'C:\Windows\Temp\svchost_update.exe'. Sysmon Event ID 11: file creation event for svchost_update.exe in C:\Windows\Temp.

  2. Test 2Service Creation Using PowerShell as Service Binary (Interpreter-Based Service)

    Expected signal: Security Event ID 4697: new service 'DiagnosticService' with ServiceFileName containing 'powershell.exe'. System Event ID 7045 with same. Sysmon Event ID 1: sc.exe CommandLine containing 'create', 'DiagnosticService', and 'powershell.exe'. KQL DeviceRegistryEvents: new key under HKLM\SYSTEM\CurrentControlSet\Services\DiagnosticService with ImagePath value containing 'powershell.exe'.

  3. Test 3Hijack Existing Service ImagePath via Registry Modification

    Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject = 'HKLM\SYSTEM\CurrentControlSet\Services\Fax\ImagePath', Details = 'C:\Windows\Temp\payload.exe', Image = reg.exe. Sysmon Event ID 1: reg.exe process creation with CommandLine containing 'add' and 'Services\Fax'. No Event 4697 or 7045 fires — this detection gap is exactly why the registry-based detection vector is required.

  4. Test 4Hide Service from Enumeration Using sc sdset (SDDL Manipulation)

    Expected signal: Sysmon Event ID 1: two sc.exe executions — first with 'create MicrosoftUpdate' in CommandLine, second with 'sdset MicrosoftUpdate' and the SDDL string. Security Event ID 4697 for the initial service creation. System Event ID 7045. After sdset, running 'Get-Service MicrosoftUpdate' will return an error; 'sc query MicrosoftUpdate' will return 'FAILED 5'. The service remains visible in the registry at HKLM\SYSTEM\CurrentControlSet\Services\MicrosoftUpdate.

Last updated: 2026-03-12 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1543.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1543Create or Modify System Process

Related Sub-techniques

T1543.001Launch AgentT1543.002Systemd ServiceT1543.004Launch DaemonT1543.005Container Service

Related Techniques

T1543Create or Modify System ProcessT1569.002Service ExecutionT1574.010Services File Permissions WeaknessT1574.011Services Registry Permissions WeaknessT1036.004Masquerade Task or ServiceT1564Hide ArtifactsT1014RootkitT1068Exploitation for Privilege EscalationT1106Native APIT1112Modify Registry

Same Tactic: Persistence

Popular Detections