ID	F0011
Objective(s)	Persistence, Privilege Escalation
Related ATT&CK Techniques	Create or Modify System Process::Windows Service (T1543.003)
Version	2.2
Created	2 August 2022
Last Modified	30 April 2024

Modify Existing Service

Malware may modify an existing service to gain persistence. Modification may include disabling a service.

See ATT&CK: Create or Modify System Process::Windows Service (T1543.003).

Use in Malware

Name	Date	Method	Description
YiSpecter	2015	--	The malware hijacks other installed applications' launch routines to use "ADPage" (an installed malicious app) to display advertisements. [2]
BlackEnergy	2007	--	Malware locates an inactive driver service to hijack and set it to start automatically. [3]
Conficker	2008	--	Malware copies itself into the $systemroot%\system32 directory and registers as a service. [4]
Shamoon	2012	--	Shamoon enables the RemoteRegistry service to allow remote registry modification. [5]
Vobfus	2016	--	Vobfus disables Windows AutoUpdate and patches the first byte of TerminateProcess and TerminateThread API with C3 (RET Instruction) to prevent external processes from terminating the running instance of malware. [6]

Tool: CAPE	Mapping	APIs
volatility_svcscan_1	Modify Existing Service (F0011)	--
volatility_svcscan_2	Modify Existing Service (F0011)	--
volatility_svcscan_3	Modify Existing Service (F0011)	--
antiav_servicestop	Modify Existing Service (F0011)	OpenServiceA, ControlService, OpenServiceW
persistence_service	Modify Existing Service (F0011)	--
modify_security_center_warnings	Modify Existing Service (F0011)	--