Modify Existing Service
May 1, 2024 ยท View on GitHub
| ID | F0011 |
| Objective(s) | Persistence, Privilege Escalation |
| Related ATT&CK Techniques | Create or Modify System Process::Windows Service (T1543.003) |
| Version | 2.2 |
| Created | 2 August 2022 |
| Last Modified | 30 April 2024 |
Modify Existing Service
Malware may modify an existing service to gain persistence. Modification may include disabling a service.
See ATT&CK: Create or Modify System Process::Windows Service (T1543.003).
Use in Malware
| Name | Date | Method | Description |
|---|---|---|---|
| YiSpecter | 2015 | -- | The malware hijacks other installed applications' launch routines to use "ADPage" (an installed malicious app) to display advertisements. [2] |
| BlackEnergy | 2007 | -- | Malware locates an inactive driver service to hijack and set it to start automatically. [3] |
| Conficker | 2008 | -- | Malware copies itself into the $systemroot%\system32 directory and registers as a service. [4] |
| Shamoon | 2012 | -- | Shamoon enables the RemoteRegistry service to allow remote registry modification. [5] |
| Vobfus | 2016 | -- | Vobfus disables Windows AutoUpdate and patches the first byte of TerminateProcess and TerminateThread API with C3 (RET Instruction) to prevent external processes from terminating the running instance of malware. [6] |
Detection
| Tool: CAPE | Mapping | APIs |
|---|---|---|
| volatility_svcscan_1 | Modify Existing Service (F0011) | -- |
| volatility_svcscan_2 | Modify Existing Service (F0011) | -- |
| volatility_svcscan_3 | Modify Existing Service (F0011) | -- |
| antiav_servicestop | Modify Existing Service (F0011) | OpenServiceA, ControlService, OpenServiceW |
| persistence_service | Modify Existing Service (F0011) | -- |
| modify_security_center_warnings | Modify Existing Service (F0011) | -- |
References
[1] https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/poison-ivy
[2] https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/
[3] https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf
[4] https://en.wikipedia.org/wiki/Conficker
[5] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/
[6] https://securitynews.sonicwall.com/xmlpost/revisiting-vobfus-worm-mar-8-2013/