title: Create or Modify System Process (T1543)
id: df00tech-t1543
status: experimental
description: "Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters. Adversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect. Services, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges."
references:
  - https://attack.mitre.org/techniques/T1543/
  - https://df00tech.com/detections/T1543
author: df00tech
date: 2026/04/21
tags:
  - attack.t1543
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate software installers (MSI packages, vendor setup.exe) that register services during installation — typically identified by msiexec.exe or setup.exe as parent process"
  - "IT management tools such as SCCM, Ansible, or Puppet that create or modify services as part of configuration management workflows"
  - "Security products (EDR agents, AV engines, backup software) that install kernel-level or user-mode services during deployment or updates"
  - "Software developers testing or deploying Windows services locally, particularly from development directories that may match suspicious path patterns"
  - System administrators manually configuring services via sc.exe or PowerShell during maintenance windows — correlate with change management tickets
level: high