MITRE ATT&CK / T1050
T1050
New Service
Description
When operating systems boot up, they can start programs or applications called services that perform background system functions. (Citation: TechNet Services) A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry.Adversaries may install a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry. The service name may be disguised by using a name from a related operating system or benign software with [Masquerading](https://attack.mitre.org/techniques/T1036). Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1035).
Platforms
Use our free MITRE ATT&CK lookup tool, or browse the full ATT&CK matrix.
Our coverage
- CISA/USCG Threat Hunt Finds Flat IT/OT Networks and Plain-Text Credentials at US Critical Infrastructure
- SHADOW-EARTH-053: China-Aligned Hackers Target Asian Governments and NATO Member State
- Ransomware Infrastructure Exposed: What the 0APT vs. KryBit Mutual Hack Reveals for Defenders
- TryHackMe Walkthrough: Nmap Basic Port Scans
Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →