Service persistence is creating or modifying a Windows service so the attacker’s payload starts automatically at boot, usually as SYSTEM. Because services auto-start and run with high privilege, this is durable, powerful persistence. Attackers either create a new service pointing at their binary or hijack an existing one (repoint its binPath or replace its executable). It needs admin to install or change a service and maps to MITRE T1543.003.
What it is
A Windows service is a background program managed by the Service Control Manager that can be set to start at boot and typically runs as SYSTEM. Services are how legitimate software runs persistently with high privilege.
Service persistence abuses that: the attacker makes a service launch their code, either a brand-new service or an existing one they have repointed, so it comes back at every boot as SYSTEM.
The technique and payload
With admin rights, the attacker installs or hijacks a service:
- Create one set to auto-start:
sc create WinUpdate binPath= "C:\Windows\Temp\p.exe" start= autothensc start WinUpdate. - Hijack an existing service by repointing it:
sc config <svc> binPath= "C:\...\p.exe", or replace the service’s executable on disk (weak service permissions make this easy). - The payload now runs as SYSTEM at boot.
Documented for defensive context.
How to defend
- Monitor service creation and changes (Security event 7045, Sysmon); alert on services running from user-writable or temp paths.
- Baseline legitimate services so new ones are obvious.
- Lock down service permissions so existing services cannot be repointed (see weak service permissions).
- Use application allow-listing so a service binary must be approved.
- Limit local admin, the prerequisite for installing or changing services.
References
- [1]MITRE ATT&CK: Create or Modify System Process (T1543)(MITRE)
- [2]Microsoft: Windows services(Microsoft)
- [3]MITRE ATT&CK: Persistence (TA0003)(MITRE)