Service-Based Execution
Service-Based Execution refers to the use of system services or background processes to run attacker-controlled logic within a target environment..
Mappings
Summary
Service-Based Execution refers to the use of system services or background processes to run attacker-controlled logic within a target environment. This includes creating new services, modifying existing service configurations, or leveraging legitimate service management mechanisms to execute commands automatically. Within MalChain, this capability begins once a service is installed, modified, or triggered to execute attacker-defined instructions. Attackers exploit implicit trust in system services and administrative management tools to maintain reliable execution with elevated privileges. Operational necessity and automated system behavior often allow service execution to occur without close inspection. Trust abuse may involve disguised service names, modified startup parameters, or services presented as legitimate maintenance components. Common execution methods include:
- Creating new system services
- Modifying existing service configurations
- Executing commands through service management utilities
- Triggering service-based scheduled operations
- Installing services with automatic startup behavior
Real world usage includes:
- Persistence and execution mechanisms in ransomware campaigns
- Privileged execution in enterprise network compromises
- Remote service abuse during lateral movement operations
- Deployment of long-running malware components
Detection Guidance
Detection relies on monitoring service lifecycle events, configuration changes, and execution behavior associated with system services. Contextual correlation between service creation, modification, and system activity is essential to reduce false positives.
- Monitor creation of new services or daemons
- Detect modifications to service startup configurations
- Correlate service execution with administrative account usage
- Alert on services created from temporary or user-controlled paths
- Identify rare or unexpected service names or descriptions
KQL Detection Concepts
- Service installation or configuration change events
- Service processes launched with unusual command-line parameters
- Execution of services originating from non-standard directories
YARA Detection Concepts
- Suspicious service configuration structures or registry entries
- Service binaries containing persistence or privilege escalation logic
- Executable files designed to run as background services
KQL Detection Rule
// Service-Based Execution: new service created for code execution
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "sc.exe" and ProcessCommandLine has "create"
or (InitiatingProcessFileName =~ "services.exe" and FileName in~ ("cmd.exe","powershell.exe"))
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileNameYARA Detection Rule
Mitigation
- Restrict service creation privileges to authorized administrators
- Enforce service configuration auditing and change control
- Monitor service activity and startup behavior
- Implement application control for service binaries
Incident Response
- Identify newly created or modified services
- Disable or remove unauthorized services
- Analyze service binaries and configuration settings
- Review system logs for service-related execution timelines