T1543 CrowdStrike LogScale · LogScale

Detect Create or Modify System Process in CrowdStrike LogScale

Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters. Adversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect. Services, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1543 Create or Modify System Process
Canonical reference
https://attack.mitre.org/techniques/T1543/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Branch 1: sc.exe or PowerShell service creation
#event_simpleName=ProcessRollup2
| FileName in ("sc.exe", "powershell.exe", "pwsh.exe")
| CommandLine = /(?i)(sc\.exe.*(create|config)|New-Service|Set-Service)/
| NOT ParentBaseFileName in ("services.exe", "svchost.exe", "msiexec.exe", "TrustedInstaller.exe")
| eval DetectionBranch = case(
    FileName == "sc.exe" AND CommandLine =~ /(?i)(create|config)/, "sc_exe_service_create",
    FileName =~ /(?i)(powershell|pwsh)\.exe/ AND CommandLine =~ /(?i)(New-Service|Set-Service)/, "powershell_new_service",
    true, "other"
  )
| eval SuspiciousPath = if(
    CommandLine =~ /(?i)(\\temp\\|\\appdata\\|\\downloads\\|\\public\\|%temp%|%appdata%)/, 1, 0
  )
| eval LOLBinService = if(
    CommandLine =~ /(?i)(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe)/, 1, 0
  )
| eval UnusualParent = if(
    ParentBaseFileName =~ /(?i)(winword|excel|powerpnt|outlook|wscript|cscript|mshta|rundll32)\.exe/, 1, 0
  )
| eval RiskScore = SuspiciousPath + LOLBinService + UnusualParent
| where DetectionBranch != "other" AND (RiskScore > 0 OR UnusualParent == 1)
| select timestamp, ComputerName, UserName, DetectionBranch, FileName, CommandLine,
         ParentBaseFileName, ParentCommandLine, RiskScore, SuspiciousPath, LOLBinService, UnusualParent

// Branch 2: Registry modifications to Services hive (run as separate saved search)
// #event_simpleName=RegGenericValueUpdate OR #event_simpleName=RegistryKeyCreate
// | RegObjectName = /(?i)SYSTEM\\CurrentControlSet\\Services/
// | RegValueName in~ ("ImagePath", "Start")
// | NOT RegOperationValue in ("services.exe", "svchost.exe", "msiexec.exe",
//                             "TrustedInstaller.exe", "WmiPrvSE.exe", "MsMpEng.exe")
// | eval SuspiciousImagePath = if(
//     RegStringValue =~ /(?i)(\\temp\\|\\appdata\\|\\downloads\\|\\public\\|%temp%|%appdata%|
//                          powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|
//                          rundll32\.exe|regsvr32\.exe|certutil\.exe)/, 1, 0
//   )
// | where SuspiciousImagePath == 1 OR (RegValueName =~ "Start" AND RegStringValue in ("2", "0"))
// | select timestamp, ComputerName, UserName, RegObjectName, RegValueName, RegStringValue, ContextProcessName

| groupBy([ComputerName, UserName, DetectionBranch, CommandLine, ParentBaseFileName], function=(
    count(aid, as=EventCount),
    max(RiskScore, as=MaxRiskScore),
    collect([SuspiciousPath, LOLBinService, UnusualParent])
  ))
| sort(MaxRiskScore, order=desc)
high severity high confidence

Detects Windows service creation and modification via CrowdStrike LogScale (Falcon Insight) using ProcessRollup2 events. Identifies sc.exe service creation, PowerShell New-Service/Set-Service invocations, LOLBin-based service binaries, suspicious service binary paths (Temp/AppData/Downloads), and service creation by Office applications or script interpreters. Registry-based detection is provided as a commented branch using RegGenericValueUpdate events.

Data Sources

CrowdStrike Falcon Insight EDRFalcon Process TelemetryFalcon Registry Telemetry

Required Tables

ProcessRollup2RegGenericValueUpdateRegistryKeyCreate

False Positives & Tuning

  • Automated patching and software lifecycle management tools (Tanium, BigFix, Ivanti) execute sc.exe during service configuration — build suppression rules for known patch management tool hashes and approved service account names
  • Container orchestration platforms (Docker Desktop for Windows, Kubernetes node services) create system services during startup and updates — exclude known container runtime binary paths from detection scope
  • Internal IT scripting automation using PowerShell DSC or custom onboarding scripts may invoke New-Service — coordinate with IT teams to identify scheduled maintenance windows and approved scripts for tuning
Download portable Sigma rule (.yml)

Other platforms for T1543

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Malicious Windows Service via sc.exe

    Expected signal: Security Event ID 4697 and System Event ID 7045: New service 'ArgusTestSvc' installed with ServiceFileName containing cmd.exe. Sysmon Event ID 1: sc.exe process creation with CommandLine containing 'create ArgusTestSvc'. Sysmon Event ID 13: Registry value set at HKLM\SYSTEM\CurrentControlSet\Services\ArgusTestSvc\ImagePath.

  2. Test 2Create Persistent Service via PowerShell New-Service

    Expected signal: Sysmon Event ID 1: powershell.exe process creation with CommandLine containing 'New-Service'. Security Event ID 4697 and System Event ID 7045: service 'ArgusTestPSSvc' installed with ServiceFileName = powershell.exe. Sysmon Event ID 13: registry modification at HKLM\SYSTEM\CurrentControlSet\Services\ArgusTestPSSvc\.

  3. Test 3Service Installed in User-Writable Path

    Expected signal: Sysmon Event ID 11: file created at %TEMP%\svchost32.exe (copy of cmd.exe). Sysmon Event ID 1: sc.exe execution with TEMP path in command line. Security Event ID 4697 / System Event ID 7045: new service with ServiceFileName in user Temp directory. Sysmon Event ID 13: ImagePath registry value containing \Temp\ path.

  4. Test 4Modify Existing Service Binary Path (Service Hijacking)

    Expected signal: Sysmon Event ID 1: sc.exe with 'config' and 'binPath' in command line targeting 'wuauserv'. Sysmon Event ID 13: registry value modification at HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\ImagePath. Security Event ID 4697 may fire depending on Windows version and audit policy. Note: this test modifies a real service — run only in isolated test environments.

Last updated: 2026-04-21 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1543 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (5)

Related Techniques

T1543.001Launch AgentT1543.002Systemd ServiceT1543.003Windows ServiceT1543.004Launch DaemonT1543.005Container ServiceT1053.005Scheduled TaskT1574.007Path Interception by PATH Environment VariableT1574.010Services File Permissions WeaknessT1574.011Services Registry Permissions WeaknessT1055Process InjectionT1569.002Service Execution

Same Tactic: Persistence

Popular Detections