MITRE ATT&CK LAB

MITRE ATT&CK

Various tests involving methods outlined within the MITRE ATT&CK framework

MITRE ATT&CK™ Analysis - T1543.003 Windows Service

less than 1 minute read

New Service Overview

A service is an application which runs in the background without a user interface and are often used for core operating system functions. Because of this traditionally GUI based applications and standard executables can’t be natively run as a service without using some kind of wrapper.

New Service Analysis

Lab Example

RED TEAM: ATTACK

A service has been created using the Windows NT Resource Kit (in particular INSTSRV.EXE to install the service and SRVANY.EXE to act as a wrapper and run an arbitrary executable as a service).

More information:

  • How To Create a User-Defined Service

    “C:\Program Files\Windows Resource Kits\Tools\INSTSRV.EXE” CyberRaijuWasHere “C:\Program Files\Windows Resource Kits\Tools\SRVANY.EXE”

The service being configured, including how it looks once registry keys are modified and the service is executed is shown below.

T1050 - New Service 2

BLUE TEAM: DEFEND

Event ID 7045 shows us the installation of this service.

T1050 - New Service 1

The end result is whenever the computer boots, the service is run which silently executes the calculator executable on this host with system level privileges.

You may also enjoy

ClearFake - Malware Analysis Lab

26 minute read

Analysis of ClearFake malware which is planted on compromised WordPress websites to convince unsuspecting visitors to download and run malware.

LummaC2 - Malware Analysis Lab

30 minute read

Analysis of a RAR file which leads to the discovery of malicious Github repositories designed to distribute malware.