Windows Service Published Through Administrator Access
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Threat actors abuse Windows services to run code with elevated privileges and establish persistence on compromised systems. Common approaches include creating new services with sc.exe or PowerShell, changing existing service binary paths, modifying service permissions through SDDL, and abusing service recovery settings to launch malicious commands when a service fails. More advanced methods involve using Windows APIs to avoid command-line visibility or installing kernel-mode drivers.
Investigation
The report outlines multiple techniques for manipulating Windows services and shows how attackers can rely on native tools such as sc.exe, PowerShell, and registry changes. It explains how service recovery options can be hijacked to execute payloads and how kernel-mode drivers may be introduced for deeper system access. The investigation also identifies key Windows Event IDs and registry locations that provide useful telemetry for detecting this behavior.
Mitigation
Organizations should apply layered defenses by enabling auditing on service-related registry locations, including the Services hive and relevant recovery configuration keys. Monitoring Windows Event IDs such as 7045, 7024, 4657, and 4663 is essential for spotting service creation or modification. Defenders should also protect against service permission tampering and track unauthorized kernel driver installation activity.
Response
When suspicious service activity is detected, responders should investigate the initiating process and its parent-child chain, especially cases where services.exe launches unexpected shell processes. Registry changes should be correlated with API activity such as CreateServiceW, and systems should be reviewed for unauthorized driver loads. The integrity of service binary paths and recovery settings should also be validated across the environment.
Attack Flow
We are still updating this part. Sign up to get notified
Notify MeDetections
Suspicious Service Creation Through Registry (via cmdline)
View
Suspicious Service Creation (via powershell)
View
Possible Manual Service or Driver Install for Persistence (via cmdline)
View
Possible Service Creation with Binary on UNC Share (via cmdline)
View
Suspicious Service Creation for Persistence (via system)
View
PowerShell New-Service Command for Creating Persistent Services [Windows Powershell]
View
Detection of Malicious Services and Recovery Function Abuse [Windows System]
View
Detection of Malicious Windows Service Creation and Configuration via sc.exe [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary has gained initial access and seeks to maintain a foothold. To avoid detection by simple file-based antivirus, they decide to use a Living-off-the-Land approach by creating a new Windows Service named “WindowsUpdateSvc” (a deceptive name). This service is configured to run a malicious PowerShell encoded command. The creation of this service will generate a Windows System Event ID 7045, which is the primary trigger for the detection rule.
-
Regression Test Script:
# Simulation of T1543.003: Creating a malicious service to trigger Event ID 7045 $ServiceName = "WindowsUpdateSvc" $Payload = "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command 'Write-Output "Persistence Established" | Out-File C:temppwned.txt'" # Create the service # Note: This requires administrative privileges New-Service -Name $ServiceName -BinaryPathName $Payload -DisplayName "Windows Update Service" -StartupType Automatic Write-Host "Service $ServiceName created. Check System Event Logs for Event ID 7045." -
Cleanup Commands:
# Cleanup: Remove the malicious service and any created files $ServiceName = "WindowsUpdateSvc" Stop-Service -Name $ServiceName -ErrorAction SilentlyContinue sc.exe delete $ServiceName if (Test-Path "C:temppwned.txt") { Remove-Item "C:temppwned.txt" } Write-Host "Cleanup complete."