MITRE ATT&CK™ Analysis - T1543.003 Windows Service

less than 1 minute read

New Service Overview

A service is an application which runs in the background without a user interface and are often used for core operating system functions. Because of this traditionally GUI based applications and standard executables can’t be natively run as a service without using some kind of wrapper.

New Service Analysis

Lab Example

RED TEAM: ATTACK

A service has been created using the Windows NT Resource Kit (in particular INSTSRV.EXE to install the service and SRVANY.EXE to act as a wrapper and run an arbitrary executable as a service).

More information:

How To Create a User-Defined Service

“C:\Program Files\Windows Resource Kits\Tools\INSTSRV.EXE” CyberRaijuWasHere “C:\Program Files\Windows Resource Kits\Tools\SRVANY.EXE”

The service being configured, including how it looks once registry keys are modified and the service is executed is shown below.

T1050 - New Service 2

BLUE TEAM: DEFEND

Event ID 7045 shows us the installation of this service.

T1050 - New Service 1

The end result is whenever the computer boots, the service is run which silently executes the calculator executable on this host with system level privileges.

Share on

Twitter Facebook LinkedIn

MITRE ATT&CK

MITRE ATT&CK™ Analysis - T1543.003 Windows Service

New Service Overview

New Service Analysis

Lab Example

RED TEAM: ATTACK

BLUE TEAM: DEFEND

Share on

You may also enjoy

AsyncRAT Injector - Malware Analysis Lab

IDAT Loader - Malware Analysis Lab

Fakebat Malware - Malware Analysis Lab

Duvet Stealer - Malware Analysis Lab