T1569 - System Services

Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence (Create or Modify System Process), but adversaries can also abuse services for one-time or temporary execution.

Atomic Tests:

Currently, no tests are available for this technique.

Detection

Monitor for command line invocations of tools capable of modifying services that doesn’t correspond to normal usage patterns and known software, patch cycles, etc. Also monitor for changes to executables and other files associated with services. Changes to Windows services may also be reflected in the Registry.

Shield Active Defense

API Monitoring

Monitor local APIs that might be used by adversary tools and activity.

API Monitoring involves capturing an internal Operating System (OS) function for its usage, accompanying arguments, and result. When a defender captures this information, the intelligence gathered can be analyzed to gain insight into the activity of an adversary at a level deeper than normal system activity monitoring.

Opportunity

There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.

Use Case

A defender can monitor and analyze operating system functions calls for detection and alerting.

Procedures

Trace activity through WinSock TCP API functions to view potentially malicious network events. Log it such that it can be pushed to a centralized location and analyzed further. Hook the Win32 DeleteFile() function to log all attempts at deleting a given file. This information can be used to trigger restoration attempts on critical data, reducing potential disruption if those files are unavailable for prolonged periods of time.