title: Windows Service (T1543.003)
id: df00tech-t1543-003
status: experimental
description: "Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence or privilege escalation. Windows services run under SYSTEM privileges by default, making them attractive targets for privilege escalation as well. Adversaries use sc.exe, PowerShell, direct Registry modification, or native Windows API calls (CreateServiceW, ZwLoadDriver) to install malicious services. Techniques include: creating new services pointing to malicious executables or DLLs, hijacking existing service ImagePath registry values, installing malicious kernel drivers for rootkit capabilities, loading signed-but-vulnerable drivers (BYOVD - Bring Your Own Vulnerable Driver), and hiding services using sc sdset with restrictive SDDL permissions. Real-world usage includes NightClub (WmdmPmSp service), Industroyer (hijacked legitimate service ImagePath), Volgmer (overwrote ServiceDLL), CosmicDuke (javamtsup service), Cuba ransomware (OpenService/ChangeServiceConfig API), and FunnyDream (WSearch service modification)."
references:
  - https://attack.mitre.org/techniques/T1543/003/
  - https://df00tech.com/detections/T1543.003
author: df00tech
date: 2026/03/12
tags:
  - attack.t1543.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Software installers legitimately creating new services during application installation (MSI packages, third-party software)"
  - System administrators manually creating or reconfiguring services for maintenance or troubleshooting using sc.exe
  - "Configuration management tools (SCCM, Chef, Puppet, Ansible) modifying service configurations as part of desired state enforcement"
  - Endpoint security products and monitoring agents installing their own services during deployment
  - Windows Update and TrustedInstaller modifying existing service ImagePath values during OS updates
level: high