Create or Modify System Process (T1543) is a MITRE ATT&CK technique in the Persistence tactic. SOC analysts detect it by monitoring for XDR, SIEM events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. Adversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations are stored in the registry for Windows and in /etc/systemd for modern Linux systems. Creating or modifying system processes provides privileged, persistent execution that is difficult for standard users to remove. On macOS, launch agents and launch daemons serve similar purposes. The challenge in detecting malicious system process creation is distinguishing it from the large volume of legitimate service installations and modifications that occur during normal software lifecycle management in enterprise environments.
“Create or Modify System Process is documented as technique T1543 in the MITRE ATT&CK knowledge base under the Persistence tactic. Detection requires visibility into XDR, SIEM telemetry.”
The following detection strategies help SOC analysts identify Create or Modify System Process activity. These methods apply across XDR, SIEM environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
Monitor Windows Registry paths HKLM\SYSTEM\CurrentControlSet\Services for new service entries and compare against authorized software inventory, alerting on services with executable paths in user-writable locations or temp directories.
Track changes to systemd unit files in /etc/systemd/system/ and /lib/systemd/system/ on Linux systems using file integrity monitoring, alerting on new or modified unit files that execute scripts from non-standard paths.
Detect service creation using unrecognized or unsigned service binaries by correlating service executable paths with known good software inventory and digital signature validation databases.
Monitor for services configured with unusual recovery options such as restarting with different executables on failure, which can be used to establish redundant execution mechanisms that survive if the primary service is stopped.
Alert on service creation or modification events occurring outside of authorized change management windows, particularly on production systems where service changes should follow a controlled deployment process.
These realistic alert examples show what Create or Modify System Process looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
New Windows service registered with binary path C:\Windows\Temp\sysmonitor64.exe. The executable is not digitally signed, was created 2 minutes before service registration, and its hash matches a known remote access trojan variant. The service description reads "Windows System Monitor Service" mimicking legitimate monitoring tools. The service is configured to start automatically as LocalSystem.
File integrity monitoring detected creation of /etc/systemd/system/network-monitor.service on production Linux server. The unit file executes a bash script from /var/tmp/.sysmon that establishes a reverse shell connection to an external IP address. The service is configured to restart automatically and starts at boot, providing persistent backdoor access that survives reboots and most incident response actions that do not include full OS reinstallation.
New launch daemon plist file created at /Library/LaunchDaemons/com.apple.system.health.plist on macOS developer workstation. The plist references an executable in /Library/Application Support/.hidden/ that is not associated with any installed application. The daemon is configured to run at boot as root and the executable communicates with a domain that was registered 10 days ago, consistent with attacker-controlled infrastructure.
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including Create or Modify System Process. Build detection skills with zero consequences — free forever.
Persistence refers to techniques adversaries use to maintain access across reboots, credential changes, and other disrup…
Read more GlossaryEndpoint Detection and Response (EDR) is a security technology that continuously monitors endpoint activity, recording p…
Read more GlossaryThreat hunting is the proactive, human-led process of searching through security telemetry to find hidden threats that e…
Read more GlossaryAn Indicator of Compromise (IOC) is an observable artifact, such as a file hash, IP address, domain name, URL, registry …
Read more Career PathThreat Hunters do not wait for alerts. You develop hypotheses based on threat intelligence and adversary behavior models…
Read more Career PathDetection Engineers build the rules, analytics, and automated workflows that determine what the SOC can see. You transla…
Read more ToolThe XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…
Read more ToolThe SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ComparisonSOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more GlossaryComplete glossary of Security Operations Center terminology for aspiring SOC analysts.
Read more FeaturePractice alert triage under realistic time pressure with SLA timers and noise injection.
Read moreWe use cookies to improve your experience and measure usage. Learn more