| ID | F0011 |
| Objective(s) | Persistence, Privilege Escalation |
| Related ATT&CK Techniques | Create or Modify System Process::Windows Service (T1543.003) |
| Version | 2.0 |
| Created | 2 August 2022 |
| Last Modified | 12 June 2023 |
Malware may modify an existing service to gain persistence. Modification may include disabling a service.
See ATT&CK: Create or Modify System Process::Windows Service (T1543.003).
| Name | Date | Method | Description |
|---|---|---|---|
| YiSpecter | 2015 | -- | The malware hijacks other installed applications' launch routines to use "ADPage" (an installed malicious app) to display advertisements. [2] |
| BlackEnergy | 2007 | -- | Malware locates an inactive driver service to hijack and set it to start automatically. [3] |
| Conficker | 2008 | -- | Malware copies itself into the $systemroot%\system32 directory and registers as a service. [4] |
| Shamoon | 2012 | -- | Shamoon enables the RemoteRegistry service to allow remote registry modification. [5] |
| Vobfus | 2016 | -- | Vobfus disables Windows AutoUpdate and patches the first byte of TerminateProcess and TerminateThread API with C3 (RET Instruction) to prevent external processes from terminating the running instance of malware. [6] |
[1] https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/poison-ivy
[2] https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/
[3] https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf
[4] https://en.wikipedia.org/wiki/Conficker
[5] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/
[6] https://securitynews.sonicwall.com/xmlpost/revisiting-vobfus-worm-mar-8-2013/