T1543.003 Potential Persistence Attempt Via Existing Service Tampering(sc.exe)
T1543.003 - Potential Persistence Attempt Via Existing Service Tampering (sc.exe)¶
DESCRIPTION¶
Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence. The “binPath” is the location that points the service to the binary that need to execute when the service is started Windows provides a functionality in order to perform certain actions when a service fails to start or it’s correspondence process is terminated. Specifically a command can be executed when a service is killed. The registry key that controls this action is the “FailureCommand” and it’s value will define what will executed
Credit(s): Sreeman
Example:
sc config Fax binPath= "C:\Windows\System32\suspicious.exe" start="auto" obj="LocalSystem"
sc failure Fax command= ""c:\Windows\system32\malicious.exe""
Reference:
https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/
https://github.com/SigmaHQ/sigma/blob/8dc32d6dffe89f014912dea9719e6a95577a6725/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml#L8
Related
ATT&CK TACTICS¶
T1543.003 -
Create or Modify System Process:
Windows Service
T1574.011 -
Hijack Execution Flow:
Services Registry Permissions Weakness
Data Source(s): Process
SENTINEL RULE QUERY¶
Triage¶
- Examine the process that initiates the action, if it's suspicious
- Determine the executable locations, is it expected
- If process looks suspicious, check file hashes if malicous or not
False Positives¶
- Driver/ agents installation
VERSION¶
Version 1.1 (date: 13/02/2024)