Service

A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in^[1]^[2]

ID: DS0019

ⓘ

Platforms: Linux, Windows, macOS

ⓘ

Collection Layer: Host

Contributors: Center for Threat-Informed Defense (CTID)

Version: 1.0

Created: 20 October 2021

Last Modified: 10 November 2021

Data Components

Service: Service Creation

Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)

Service: Service Creation

Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)

Domain	ID		Name
Enterprise	T1557		Adversary-in-the-Middle
		.001	LLMNR/NBT-NS Poisoning and SMB Relay
Enterprise	T1547	.011	Boot or Logon Autostart Execution: Plist Modification
Enterprise	T1543		Create or Modify System Process
		.001	Launch Agent
		.002	Systemd Service
		.003	Windows Service
		.004	Launch Daemon
Enterprise	T1564		Hide Artifacts
		.006	Run Virtual Instance
Enterprise	T1036		Masquerading
		.004	Masquerade Task or Service
Enterprise	T1569		System Services
		.001	Launchctl
		.002	Service Execution

Service: Service Metadata

Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.

Service: Service Metadata

Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.

Domain	ID		Name
Enterprise	T1197		BITS Jobs
Enterprise	T1574		Hijack Execution Flow
		.005	Executable Installer File Permissions Weakness
		.010	Services File Permissions Weakness
		.011	Services Registry Permissions Weakness
Enterprise	T1562		Impair Defenses
		.001	Disable or Modify Tools
Enterprise	T1490		Inhibit System Recovery
Enterprise	T1036		Masquerading
		.004	Masquerade Task or Service
Enterprise	T1021	.006	Remote Services: Windows Remote Management
Enterprise	T1489		Service Stop

Service: Service Modification

Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs)

Service: Service Modification

Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs)

Domain	ID		Name
Enterprise	T1543		Create or Modify System Process
		.001	Launch Agent
		.002	Systemd Service
		.003	Windows Service
		.004	Launch Daemon

References

Microsoft. (2017, March 30). Introduction to Windows Service Applications. Retrieved September 28, 2021.

The Linux Foundation. (2006, January 11). An introduction to services, runlevels, and rc.d scripts. Retrieved September 28, 2021.