MITRE ATT&CK

Windows Services are background processes that run automatically, often with high privileges, and can start before any user logs in. Attackers leverage Windows Services to maintain persistence on a compromised system by creating a new malicious service or modifying an existing one.

How Attackers Use Windows Services for Persistence

Creating a Malicious Windows Service

Attackers can create a new service to execute their payload persistently using the sc.exe command:

sc.exe create MaliciousService binpath= "C:\\Windows\\Temp\\malicious.exe" start= auto

This command:

• This creates a service named MaliciousService
• Configures it to execute malicious.exe
• Sets auto-start ensuring execution on system boot

Modifying an Existing Service

Instead of creating a new service, attackers may hijack an existing one using sc config:

sc config LegitimateService binpath= "C:\\Windows\\Temp\\malicious.exe"

This can bypass detection by using trusted service names.

Detection & Threat Hunting Techniques (Blue Team Perspective)

Event Log Analysis

• Event ID 7045 (System Log) – A new service was installed

  

• Event ID 4697 (Security Log) – A new service was installed