MITRE ATT&CK detection coverage

← Back to main site

Home/ MITRE Matrix/ Persistence/ T1543.003

T1543.003Windows Service

T1543.003 — Windows Service is a MITRE ATT&CK technique in the Persistence tactic. Clankerusecase tracks 36 detection use cases covering it and 11 threat-intel articles citing it.

PersistencePrivilege Escalation

View on the matrix → Filter Detection Library MITRE official spec ↗

36Use cases

11Articles

0Sub-techniques

2Tactics

↑ Parent technique: T1543 · Create or Modify System Process

Use cases covering this technique (36)

Service install for persistence — sc.exe / new service registry write Internal install · hunting DSΣP CMD Echo Pipe - Escalation ESCU actions · alerting P Impacket Lateral Movement Commandline Parameters ESCU actions · alerting P Impacket Lateral Movement smbexec CommandLine Parameters ESCU actions · alerting P Impacket Lateral Movement WMIExec Commandline Parameters ESCU actions · alerting P Possible Lateral Movement PowerShell Spawn ESCU actions · hunting P Randomly Generated Windows Service Name ESCU actions · hunting P Services LOLBAS Execution Process Spawn ESCU actions · alerting P Windows Bluetooth Service Installed From Uncommon Location ESCU actions · hunting P Windows KrbRelayUp Service Creation ESCU actions · alerting P Windows Remote Create Service ESCU actions · hunting P Windows Service Create Kernel Mode Driver ESCU actions · alerting P Windows Service Create RemComSvc ESCU actions · hunting P Windows Service Create with Tscon ESCU actions · alerting P Windows Service Creation on Remote Endpoint ESCU actions · alerting P Windows Service Initiation on Remote Endpoint ESCU actions · alerting P Windows Suspicious Driver Loaded Path ESCU actions · alerting P Windows Vulnerable Driver Installed ESCU actions · alerting P Windows Vulnerable Driver Loaded ESCU actions · hunting P XMRIG Driver Loaded ESCU actions · alerting P Sc exe Manipulating Windows Services ESCU actions · alerting P Suspicious Driver Loaded Path ESCU actions · alerting P Windows Service Created Within Public Path ESCU actions · alerting P Article-specific behavioural hunt — Microsoft Patch Tuesday for June 2026 — Snort rules and prominent vulnerabilitie Bespoke exploit · hunting DSP [LLM] gh-token-monitor service install or rm -rf wiper command (Hades self-destruct) Bespoke actions · alerting DSΣPDDCS Article-specific behavioural hunt — Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns Bespoke exploit · hunting DSP Article-specific behavioural hunt — From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese- Bespoke exploit · hunting DSP [LLM] IIS native module DLL drop or applicationHost.config modification by non-IIS process Bespoke install · alerting DSΣPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-44849: Portainer has an endpoint security bypass via Bespoke install · hunting DSP [LLM] Kimsuky httpMalice persistence: 'Everything 1.9a-/1.8a-' Run-key or CacheDB service install Bespoke install · alerting DSPDD Article-specific behavioural hunt — fast16 | Mystery Shadow Brokers Reference Reveals High-Precision Software Sabota Bespoke exploit · hunting DSP [LLM] fast16 Sabotage Framework Hash IOC Sweep (svcmgmt.exe / fast16.sys / svcmgmt.dll) Bespoke install · alerting DSΣP [LLM] fast16 Carrier Runtime Artefacts (SvcMgmt service / pipe p577 / \Device\fast16) Bespoke install · hunting DSP Article-specific behavioural hunt — EDR killers explained: Beyond the drivers Bespoke exploit · hunting DSP Article-specific behavioural hunt — Fake Clawdbot VS Code Extension Installs ScreenConnect RAT Bespoke exploit · hunting DSP [LLM] Weaponised ScreenConnect install path with attacker instance GUID 083e4d30c7ea44f7 Bespoke install · alerting DSΣPDDCS

Articles citing this technique (11)

crit Microsoft Patch Tuesday for June 2026 — Snort rules and prominent vulnerabilities art-76

high Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer art-90

crit Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns art-217

crit From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat art-265

crit [GHSA / CRITICAL] CVE-2026-44849: Portainer has an endpoint security bypass via Swarm service create/update art-297

crit Kimsuky targets organizations with PebbleDash-based tools art-308

crit fast16 | Mystery Shadow Brokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet art-360

crit litellm: Credential Stealer Hidden in PyPI Wheel art-423

crit EDR killers explained: Beyond the drivers art-455

high Fake Clawdbot VS Code Extension Installs ScreenConnect RAT art-594

high Secure by Design: The Future of Threat Modeling for AI-Native Applications art-710