Detect Create or Modify System Process in Google Chronicle
Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters. Adversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect. Services, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1543 Create or Modify System Process
- Canonical reference
- https://attack.mitre.org/techniques/T1543/
YARA-L Detection Query
rule t1543_create_modify_system_process {
meta:
author = "Detection Engineering"
description = "Detects creation or modification of Windows system services via sc.exe, PowerShell, or direct registry writes to CurrentControlSet\\Services. Covers LOLBin-based services, suspicious binary paths, and unusual parent process chains."
mitre_attack_tactic = "Persistence, Privilege Escalation"
mitre_attack_technique = "T1543"
mitre_attack_subtechnique = "T1543.003"
severity = "HIGH"
priority = "HIGH"
events:
// Branch 1: sc.exe or PowerShell service creation
$e1.metadata.event_type = "PROCESS_LAUNCH"
$e1.principal.hostname = $hostname
(
(
re.regex($e1.target.process.file.full_path, `(?i)\\sc\.exe$`) and
re.regex($e1.target.process.command_line, `(?i)(create|config)`)
) or
(
re.regex($e1.target.process.file.full_path, `(?i)\\(powershell|pwsh)\.exe$`) and
re.regex($e1.target.process.command_line, `(?i)(New-Service|Set-Service)`)
)
)
condition:
$e1
}
rule t1543_service_registry_modification {
meta:
author = "Detection Engineering"
description = "Detects suspicious registry modifications to HKLM\\SYSTEM\\CurrentControlSet\\Services including ImagePath set to suspicious locations or LOLBin executables, and autostart (Start=2/0) values written by non-system processes."
mitre_attack_tactic = "Persistence, Privilege Escalation"
mitre_attack_technique = "T1543"
mitre_attack_subtechnique = "T1543.003"
severity = "HIGH"
priority = "HIGH"
events:
$e2.metadata.event_type = "REGISTRY_MODIFICATION"
$e2.principal.hostname = $hostname
re.regex($e2.target.registry.registry_key, `(?i)HKLM\\SYSTEM\\CurrentControlSet\\Services`)
(
(
$e2.target.registry.registry_value_name = "ImagePath" and
(
re.regex($e2.target.registry.registry_value_data, `(?i)(\\temp\\|\\appdata\\|\\downloads\\|\\public\\|%temp%|%appdata%)`) or
re.regex($e2.target.registry.registry_value_data, `(?i)(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe)`)
)
) or
(
$e2.target.registry.registry_value_name = "Start" and
$e2.target.registry.registry_value_data in ("2", "0") and
not re.regex($e2.principal.process.file.full_path, `(?i)(services\.exe|svchost\.exe|msiexec\.exe|TrustedInstaller\.exe|WmiPrvSE\.exe|MsMpEng\.exe)`)
)
)
condition:
$e2
}
rule t1543_service_unusual_parent {
meta:
author = "Detection Engineering"
description = "Detects sc.exe service creation invoked by Office applications or script interpreters, indicating possible macro or script-based lateral movement/persistence."
mitre_attack_tactic = "Persistence, Privilege Escalation"
mitre_attack_technique = "T1543"
mitre_attack_subtechnique = "T1543.003"
severity = "CRITICAL"
priority = "CRITICAL"
events:
$e3.metadata.event_type = "PROCESS_LAUNCH"
$e3.principal.hostname = $hostname
re.regex($e3.target.process.file.full_path, `(?i)\\sc\.exe$`)
re.regex($e3.target.process.command_line, `(?i)create`)
re.regex($e3.principal.process.file.full_path,
`(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe)`)
condition:
$e3
}Three YARA-L 2.0 rules detecting T1543 service persistence: (1) sc.exe or PowerShell service creation, (2) suspicious registry writes to the Services hive (LOLBin ImagePath or autostart entries by non-system processes), (3) sc.exe service creation from Office applications or script interpreters. Rules use UDM process and registry event types with regex matching on command lines and registry paths.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise software deployment pipelines (Intune, SCCM) create services as part of managed application installs — apply reference list exclusions for known MDM/deployment system hostnames and service accounts
- Development workstations where developers test service-based applications via PowerShell New-Service — scope detection to production and server asset groups, or reduce severity for developer workstation segments
- Backup and recovery software (Veeam, Acronis, Veritas) installs services via MSI with PowerShell wrappers — allowlist known backup agent binary hashes or signing certificate subjects
Other platforms for T1543
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Malicious Windows Service via sc.exe
Expected signal: Security Event ID 4697 and System Event ID 7045: New service 'ArgusTestSvc' installed with ServiceFileName containing cmd.exe. Sysmon Event ID 1: sc.exe process creation with CommandLine containing 'create ArgusTestSvc'. Sysmon Event ID 13: Registry value set at HKLM\SYSTEM\CurrentControlSet\Services\ArgusTestSvc\ImagePath.
- Test 2Create Persistent Service via PowerShell New-Service
Expected signal: Sysmon Event ID 1: powershell.exe process creation with CommandLine containing 'New-Service'. Security Event ID 4697 and System Event ID 7045: service 'ArgusTestPSSvc' installed with ServiceFileName = powershell.exe. Sysmon Event ID 13: registry modification at HKLM\SYSTEM\CurrentControlSet\Services\ArgusTestPSSvc\.
- Test 3Service Installed in User-Writable Path
Expected signal: Sysmon Event ID 11: file created at %TEMP%\svchost32.exe (copy of cmd.exe). Sysmon Event ID 1: sc.exe execution with TEMP path in command line. Security Event ID 4697 / System Event ID 7045: new service with ServiceFileName in user Temp directory. Sysmon Event ID 13: ImagePath registry value containing \Temp\ path.
- Test 4Modify Existing Service Binary Path (Service Hijacking)
Expected signal: Sysmon Event ID 1: sc.exe with 'config' and 'binPath' in command line targeting 'wuauserv'. Sysmon Event ID 13: registry value modification at HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\ImagePath. Security Event ID 4697 may fire depending on Windows version and audit policy. Note: this test modifies a real service — run only in isolated test environments.
References (9)
- https://attack.mitre.org/techniques/T1543/
- https://technet.microsoft.com/en-us/library/cc772408.aspx
- https://learn.microsoft.com/en-us/windows/win32/services/service-control-manager
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md
- https://www.mandiant.com/resources/blog/iocs-yellow-liderc-imaploader
- https://www.cisa.gov/sites/default/files/2024-04/aa24-109a-stopransomware-akira_0.pdf
- https://www.sans.org/white-papers/33492/
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set
Unlock Pro Content
Get the full detection package for T1543 including response playbook, investigation guide, and atomic red team tests.