Create or Modify System Process
Create or Modify System Process ranks third this year thanks in large part to detections associated with its Windows Service sub-technique.
Editors’ note: While the analysis and detection opportunities remain applicable, this technique page was written for a previous Threat Detection Report and has not been updated in 2022.Pairs with this song
Typically, Windows services automatically run with elevated privileges during the boot cycle of the operating system, granting adversaries a means of both persistence and privilege escalation.
T1543: Create or Modify System Process
"Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters."