| ID | F0011 |
| Objective(s) | Persistence, Privilege Escalation |
| Related ATT&CK Techniques | Create or Modify System Process::Windows Service (T1543.003) |
| Version | 2.0 |
| Created | 2 August 2022 |
| Last Modified | 21 November 2022 |
Malware may modify an existing service to gain persistence. Modification may include disabling a service.
See ATT&CK: Create or Modify System Process::Windows Service (T1543.003).
| Name | Date | Method | Description |
|---|---|---|---|
| Poison-Ivy | 2005 | -- | After the Poison-Ivy server is running on the target machine, the attacker can use a Windows GUI client to control the target computer. [1] |
| YiSpecter | 2015 | -- | Hijacks other installed applications' launch routines to use "ADPage" (an installed malicious app) to display advertisements [2] |
| BlackEnergy | 2007 | -- | Locates an inactive driver service to Hijack and set it to start automatically [3] |
| Conficker | 2008 | -- | Copies itself into the $systemroot%\system32 directory and registers as a service [4] |
| Shamoon | 2012 | -- | Shamoon enables the RemoteRegistry service to allow remote registry modification [5] |
[1] https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy
[2] http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/
[3] https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf
[4] https://en.wikipedia.org/wiki/Conficker
[5] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/