Create or Modify System Process T1543
Tactics: Persistence, Privilege Escalation
Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters.
Events covered
33 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 218 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (105 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (7204 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (788 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 85 rules
- Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
- Atomic MacOS Stealer - Persistence Indicators
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- CodeIntegrity - Blocked Driver Load With Revoked Certificate
- CodeIntegrity - Blocked Image/Driver Load For Policy Violation
- CosmicDuke Service Installation
- Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
- Devcon Execution Disabling VMware VMCI Device
- Driver Load From A Temporary Directory
- EAP service activation by Liontail framework for DLL sideloading (via command)
- Encoded PowerShell payload deployed via service
- Impacket SMBexec service creation (registry)
- Impacket SMBexec service registration (native)
- KrbRelayUp Service Installation
- Launch Agent/Daemon Execution Via Launchctl
- LiteLLM / TeamPCP Supply Chain Attack Indicators
- macOS ESF Launch Persistence Creation
- macOS LaunchAgent/LaunchDaemon Persistence
- Malicious Driver Load
- Malicious Driver Load By Name
- Mimikatz driver deployed via service
- Mimikatz driver registration (Reg via Sysmon)
- Moriya Rootkit - System
- Moriya Rootkit File Created
- New Kernel Driver Via SC.EXE
- New PDQDeploy Service - Client Side
- New PDQDeploy Service - Server Side
- New Service Creation Using PowerShell
- New Service Creation Using Sc.EXE
- OilRig APT Activity
- OilRig APT Registry Persistence
- OilRig APT Schedule Task Persistence - Security
- OilRig APT Schedule Task Persistence - System
- Possible impact of 'SMOKEDHAM backdoor' with MSDTC service privilege escalation via command line
- Potential CobaltStrike Service Installations - Registry
- Potential Persistence Attempt Via Existing Service Tampering
- Potential Persistence Via PlistBuddy
- ProcessHacker Privilege Elevation
- PSEXEC Remote Execution File Artefact
- PSexec service installation
- PUA - Kernel Driver Utility (KDU) Execution
- PUA - Process Hacker Driver Load
- PUA - Process Hacker Execution
- PUA - System Informer Driver Load
- PUA - System Informer Execution
- RDP session hijack via service creation abuse
- Remote Access Tool Services Have Been Installed - Security
- Remote Access Tool Services Have Been Installed - System
- Service abuse with backdoored "command failure" (Reg via command)
- Service abuse with backdoored "command failure" (Reg via PowerShell)
- Service abuse with backdoored "command failure" (service)
- Service abuse with malicious ImagePath (Reg via PowerShell)
- Service abuse with malicious ImagePath (service)
- Service creation (command)
- Service creation (PowerShell)
- Service Installation in Suspicious Folder
- Service Installation with Suspicious Folder Pattern
- Service Installed By Unusual Client - Security
- Service Installed By Unusual Client - System
- Service permissions hijacked for privileges abuse (PowerShell)
- Service permissions hijacked for privileges abuse (reg via command)
- Service permissions hijacked for privileges abuse (Reg via PowerShell)
- Service permissions hijacked for privileges abuse (service)
- Service Reload or Start - Linux
- ServiceDll Hijack
- Sliver C2 Default Service Installation
- Special File Creation via Mknod Syscall
- StoneDrill Service Install
- Suspicious New Service Creation
- Suspicious Service DACL Modification Via Set-Service Cmdlet
- Suspicious Service Installation
- Suspicious Service Installation Script
- Suspicious Service Path Modification
- Sysinternals PsService Execution
- Sysinternals PsSuspend Execution
- Systemd Service Creation
- TeamPCP LiteLLM Supply Chain Attack Persistence Indicators
- Turla PNG Dropper Service
- Turla Service Install
- Uncommon Service Installation Image Path
- Vulnerable Driver Load
- Vulnerable Driver Load By Name
- Vulnerable HackSys Extreme Vulnerable Driver Load
- Vulnerable WinRing0 Driver Load
Elastic 83 rules
- Anomalous Process For a Linux Population
- Anomalous Process For a Windows Population
- Anomalous Windows Process Creation
- APT Package Manager Configuration File Creation
- Authentication via Unusual PAM Grantor
- Boot File Copy
- Chkconfig Service Add
- Creation of Hidden Launch Agent or Daemon
- Creation or Modification of a new GPO Scheduled Task or Service
- D-Bus Service Created
- DNF Package Manager Plugin File Creation
- DPKG Package Installed by Unusual Parent Process
- Dracut Module Creation
- Execution of an Unsigned Service
- Finder Sync Plugin Registered and Enabled
- First Time Python Created a LaunchAgent or LaunchDaemon
- First Time Seen Driver Loaded
- Git Hook Child Process
- Git Hook Command Execution
- Git Hook Created or Modified
- Git Hook Egress Network Connection
- GRUB Configuration File Creation
- GRUB Configuration Generation through Built-in Utilities
- Initramfs Extraction via CPIO
- Initramfs Unpacking via unmkinitramfs
- Kubernetes Sensitive Configuration File Activity
- Kubernetes Static Pod Manifest File Access
- Launch Service Creation and Immediate Loading
- Modification of Persistence Relevant Files Detected via Defend for Containers
- Namespace Manipulation Using Unshare
- Namespace Manipulation Using Unshare in a Container
- Network Logon Provider Registry Modification
- NetworkManager Dispatcher Script Creation
- Node.js Pre or Post-Install Script Execution
- Persistence via a Hidden Plist Filename
- Persistence via Docker Shortcut Modification
- Persistence via Suspicious Launch Agent or Launch Daemon
- Persistence via Update Orchestrator Service Hijack
- Persistence via WMI Standard Registry Provider
- Pluggable Authentication Module (PAM) Creation in Unusual Directory
- Pluggable Authentication Module (PAM) Source Download
- Pluggable Authentication Module (PAM) Version Discovery
- Pluggable Authentication Module or Configuration Creation
- Polkit Policy Creation
- Potential Backdoor Execution Through PAM_EXEC
- Potential Execution via SSH Backdoor
- Potential Persistence via File Modification
- Potential Privilege Escalation via Service ImagePath Modification
- Potential Suspicious File Edit
- Remote Windows Service Installed
- Renaming of OpenSSH Binaries
- RPM Package Installed by Unusual Parent Process
- Service Command Lateral Movement
- Service Control Spawned via Script Interpreter
- Service Creation via Local Kerberos Authentication
- Service DACL Modification via sc.exe
- Service Path Modification
- Service Path Modification via sc.exe
- Suspicious APT Package Manager Execution
- Suspicious APT Package Manager Network Connection
- Suspicious Echo or Printf Execution Detected via Defend for Containers
- Suspicious Hidden Child Process of Launchd
- Suspicious ImagePath Service Creation
- Suspicious Mining Process Creation Event
- Suspicious Network Connection via systemd
- Suspicious ScreenConnect Client Child Process
- Suspicious Service was Installed in the System
- System Shells via Services
- Systemd Generator Created
- Systemd Service Created
- Systemd Service Started by Unusual Parent Process
- Systemd Shell Execution During Boot
- Unsigned DLL Loaded by Svchost
- Unusual D-Bus Daemon Child Process
- Unusual DPKG Execution
- Unusual Persistence via Services Registry
- Unusual Pkexec Execution
- Unusual Process For a Linux Host
- Unusual Process For a Windows Host
- Unusual Windows Path Activity
- Unusual Windows Service
- Windows Service Installed via an Unusual Client
- Yum Package Manager Plugin File Creation
Splunk 39 rules
- Cisco Isovalent - Late Process Execution
- Cisco Isovalent - Nsenter Usage in Kubernetes Pod
- Cisco Isovalent - Shell Execution
- Clop Ransomware Known Service Name
- CMD Echo Pipe - Escalation
- Driver Loaded from Unusual Path - Windows (Sysmon)
- Impacket Lateral Movement Commandline Parameters
- Impacket Lateral Movement smbexec CommandLine Parameters
- Impacket Lateral Movement WMIExec Commandline Parameters
- Kernel Service Installed - Windows (Windows Event Log)
- LLM Model File Creation
- MacOS Kextload Usage
- Possible Lateral Movement PowerShell Spawn
- PSexec Service Creation (Windows Event Log)
- Randomly Generated Windows Service Name
- Service Installed (Windows Event Log)
- Services LOLBAS Execution Process Spawn
- SimpleHelp Remote Access Tool Service Installation (Windows Event Log)
- Suspicious .sys Created - Windows (Sysmon)
- Suspicious PlistBuddy Usage
- Suspicious PlistBuddy Usage via OSquery
- Windows Bluetooth Service Installed From Uncommon Location
- Windows KrbRelayUp Service Creation
- Windows Local LLM Framework Execution
- Windows Process Execution in Temp Dir
- Windows Remote Create Service
- Windows Service Create Kernel Mode Driver
- Windows Service Create RemComSvc
- Windows Service Create with Tscon
- Windows Service Created (Sysmon)
- Windows Service Created (Windows Event Log)
- Windows Service Creation on Remote Endpoint
- Windows Service Initiation on Remote Endpoint
- Windows Suspicious Driver Loaded Path
- Windows Suspicious Process File Path
- Windows Vulnerable Driver Installed
- Windows Vulnerable Driver Loaded
- Wscript Or Cscript Suspicious Child Process
- XMRIG Driver Loaded
Kusto 8 rules
- COM Event System Loading New DLL
- McAfee ePO - Multiple threats on same host
- Pathlock TDnR - Logical OS Command Changes
- Pathlock TDnR - TMS Transport and Import Events
- Powershell Empire Cmdlets Executed in Command Line
- Rare Process as a Service
- SUNBURST suspicious SolarWinds child processes (Normalized Process Events)
- TEARDROP memory-only dropper