Threat Hunters Corner: Understanding T1543 - Create or Modify System Processes

Welcome 

Hey everyone, Josh Shepard here, Principal Threat Hunter at RADICL. Welcome to the inaugural edition of the Threat Hunters Corner! This series will dive into the exciting world of threat hunting, sharing insights on techniques, threat actors, and novel malware strains we’ve encountered either up close and personal or through our day to day research. Our goal is to help you kickstart your own threat hunting program with practical tips and strategies. Each of these posts will come with a video where I’ll talk through the given topic as well as an accompanying (RadBot generated) text summary of what was discussed so you have something to refer back to. Please let me know if there’s anything you’d like to see covered in the future or if you have any questions on the video. Enjoy! 

Unveiling T1543 – RadBot (RADICL AI) Generated Text Summary

Welcome to the inaugural edition of the Threat Hunters Corner! I’m Josh Shepard, principal threat hunter at RADICL, and I’m excited to kick off this series where we’ll delve into the latest techniques, emerging threat actors, and novel malware strains that we’ve encountered in our threat hunting endeavors. Our goal is to equip you with the knowledge and tools necessary to enhance your own threat hunting programs. 

In this first installment, we’ll focus on a critical technique that is widely utilized by various threat actors, from sophisticated nation-state adversaries to opportunistic cybercriminals. This technique is known as T1543: Create or Modify System Processes. 

Why Threat Actors Favor T1543 

Threat actors are drawn to system-level processes for several reasons: 

1. Ubiquity Across Operating Systems: Services exist on all major operating systems, including Windows, Linux, and macOS. This universality makes them an attractive target for attackers. 

1. Higher Privileges: Services often run with elevated privileges, allowing threat actors to escalate their access and maintain persistence within a compromised environment. 

1. Persistence: Services are designed to survive system reboots, making them ideal for adversaries looking to establish long-term footholds in a target system. 

1. Customizability: Threat actors can create and modify services using built-in system utilities, which helps them avoid detection and complicates attribution efforts. 

Detecting T1543 Behavior 

Windows Environment 

In Windows, the creation of services typically follows the installation of an application. However, threat actors may bypass this standard flow. Here are some key indicators to monitor: 

• Command Line Utilities: Look for instances of sc.exe with the create parameter, which is used to create custom services. 

• PowerShell Commands: Monitor for the use of PowerShell's service cmdlet to create new services. 

• .NET Framework: Check for the use of installutil.exe, which can also be employed to install services. 

Establishing a baseline of normal service creation activities in your environment is crucial for identifying anomalies. 

Linux Environment 

For Linux systems, focus on the manipulation of .service files associated with Systemd: 

• Unusual Modifications: Investigate any unexpected changes to existing .service files. 

• New Service Creation: Be wary of unusual commands that create new .service files, such as using echo to pipe data into these files or downloading them via curl. 

macOS Environment 

With macOS we’ll be looking at .plist (property list) files which are similar to .service files in Linux: 

• Monitoring Modifications: Look for unusual modifications to existing .plist files, especially using tools like PlistBuddy. 

• New File Creation: Similar to Linux, watch for unexpected creation of new .plist files. 

• Launch Agents vs Launch Daemons: In macOS, it’s important to differentiate between launch agents and launch daemons. Launch agents run in user space, while launch daemons operate at a system level. This distinction can help you understand the context of the services being monitored. 

Conclusion 

This overview of T1543 provides a foundational understanding of how threat actors exploit system processes to achieve their objectives. By implementing the hunt strategies outlined above, you can enhance your threat hunting capabilities and better protect your environment. 

As you embark on your threat hunting journey, remember that establishing a baseline is key. If you encounter any challenges or have questions about hunting for T1543, feel free to reach out. I look forward to hearing your feedback and suggestions for future topics in the Threat Hunters Corner! 

Stay vigilant, and happy hunting!