cti/enterprise-attack/attack-pattern/attack-pattern--62dfd1ca-52d5-483c-a84b-d6e80bf94b7b.json

{
    "type": "bundle",
    "id": "bundle--7c20f4c2-0f32-411e-9565-968d5517b341",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "attack-pattern",
            "id": "attack-pattern--62dfd1ca-52d5-483c-a84b-d6e80bf94b7b",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "created": "2017-05-31T21:30:34.928Z",
            "modified": "2018-01-17T12:56:55.080Z",
            "name": "Modify Existing Service",
            "description": "Windows service configuration information, including the file path to the service's executable, is stored in the Registry. Service configurations can be modified using utilities such as sc.exe and Reg.\n\nAdversaries can modify an existing service to persist malware on a system by using system utilities or by using custom tools to interact with the Windows API. Use of existing services is a type of Masquerading that may make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used.\n\nDetection: Look for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Changes to the binary path and the service startup type changed from manual or disabled to automatic, if it does not typically do so, may be suspicious. Tools such as Sysinternals Autoruns may also be used to detect system service changes that could be attempts at persistence. (Citation: TechNet Autoruns) \n\nService information is stored in the Registry at <code>HKLM\\SYSTEM\\CurrentControlSet\\Services</code>.\n\nCommand-line invocation of tools capable of modifying services may be unusual, depending on how systems are typically used in a particular environment. Collect service utility execution and service binary path arguments used for analysis. Service binary paths may even be changed to execute cmd commands or scripts.\n\nLook for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. Services may also be modified through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.\n\nPlatforms: Windows\n\nData Sources: Windows Registry, File monitoring, Process command-line parameters, Process monitoring\n\nPermissions Required: Administrator, SYSTEM\n\nContributors: Travis Smith, Tripwire",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "persistence"
                }
            ],
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/wiki/Technique/T1031",
                    "external_id": "T1031"
                },
                {
                    "source_name": "TechNet Autoruns",
                    "description": "Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.",
                    "url": "https://technet.microsoft.com/en-us/sysinternals/bb963902"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "x_mitre_contributors": [
                "Travis Smith, Tripwire"
            ],
            "x_mitre_data_sources": [
                "Windows Registry",
                "File monitoring",
                "Process command-line parameters",
                "Process monitoring"
            ],
            "x_mitre_permissions_required": [
                "Administrator",
                "SYSTEM"
            ],
            "x_mitre_platforms": [
                "Windows"
            ]
        }
    ]
}