Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)
Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1557 | Adversary-in-the-Middle |
Monitor for newly constructed services/daemons through Windows event logs for event IDs 4697 and 7045. |
|
.001 | LLMNR/NBT-NS Poisoning and SMB Relay |
Monitor for newly constructed services/daemons through Windows event logs for event IDs 4697 and 7045. [3] Deploy an LLMNR/NBT-NS spoofing detection tool.[4] |
||
Enterprise | T1543 | Create or Modify System Process |
Monitor for newly constructed services/daemons that may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. |
|
.001 | Launch Agent |
Monitor Launch Agent creation through additional plist files and utilities such as Objective-See’s KnockKnock application. |
||
.002 | Systemd Service |
Monitor for new constructed systemd services to repeatedly execute malicious payloads as part of persistence. |
||
.003 | Windows Service |
Creation of new services may generate an alterable event (ex: Event ID 4697 and/or 7045 [5][6]), especially those associated with unknown/abnormal drivers. New, benign services may be created during installation of new software. |
||
.004 | Launch Daemon |
Monitor for newly constructed services may create or modify Launch Daemons to execute malicious payloads as part of persistence. |
||
Enterprise | T1564 | Hide Artifacts |
Monitor for newly constructed services/daemons that may attempt to hide artifacts associated with their behaviors to evade detection. |
|
.006 | Run Virtual Instance |
Monitor for newly constructed services/daemons that may carry out malicious operations using a virtual instance to avoid detection. Consider monitoring for new Windows Service, with respect to virtualization software. |
||
Enterprise | T1036 | Masquerading |
Monitor for newly constructed services/daemons that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. |
|
.004 | Masquerade Task or Service |
Monitor for newly constructed services/daemons. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. |
||
Enterprise | T1569 | System Services |
Monitor for newly constructed services/daemons to execute commands or programs. |
|
.001 | Launchctl |
Monitor for newly constructed services/daemons to execute commands or programs. |
||
.002 | Service Execution |
Monitor newly constructed services that abuse control manager to execute malicious commands or payloads. |
Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.
Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1197 | BITS Jobs |
BITS runs as a service and its status can be checked with the Sc query utility ( |
|
Enterprise | T1574 | Hijack Execution Flow |
Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data. |
|
.005 | Executable Installer File Permissions Weakness |
Monitor for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques. |
||
.010 | Services File Permissions Weakness |
Hashing of binaries and service executables could be used to detect replacement against historical data. |
||
Enterprise | T1562 | Impair Defenses |
Monitor contextual data about a service/daemon, which may include information such as name, service executable, start type that that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. |
|
.001 | Disable or Modify Tools |
Monitor for telemetry that provides context of security software services being disabled or modified. |
||
Enterprise | T1490 | Inhibit System Recovery |
Monitor the status of services involved in system recovery. |
|
Enterprise | T1036 | Masquerading |
Monitor for contextual data about a service/daemon, which may include information such as name, service executable, start type, etc. |
|
.004 | Masquerade Task or Service |
Monitor for changes made to services for unexpected modifications to names, descriptions, and/or start types |
||
Enterprise | T1021 | .006 | Remote Services: Windows Remote Management |
Monitor use of WinRM within an environment by tracking service execution. If it is not normally used or is disabled, then this may be an indicator of suspicious behavior. |
Enterprise | T1489 | Service Stop |
Alterations to the service binary path or the service startup type changed to disabled may be suspicious. |
Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs)
Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1543 | Create or Modify System Process |
Monitor for changes to system processes that do not correlate with known software, patch cycles, etc., including by comparing results against a trusted system baseline. |
|
.001 | Launch Agent |
Monitor for changes made to launch agents to repeatedly execute malicious payloads as part of persistence. |
||
.002 | Systemd Service |
Analyze the contents of |
||
.003 | Windows Service |
Monitor for changes made to Windows services to repeatedly execute malicious payloads as part of persistence. |
||
.004 | Launch Daemon |
Monitor services for changes made to Launch Daemons to execute malicious payloads as part of persistence. |
||
Enterprise | T1574 | .011 | Hijack Execution Flow: Services Registry Permissions Weakness |
Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. |