Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Persistence/ T1543

T1543Create or Modify System Process

T1543 — Create or Modify System Process is a MITRE ATT&CK technique in the Persistence tactic. Clankerusecase tracks 15 detection use cases covering it and 4 threat-intel articles citing it.

PersistencePrivilege Escalation
View on the matrix → Filter Detection Library MITRE official spec ↗
15Use cases
4Articles
5Sub-techniques
2Tactics

Sub-techniques (5)

T1543.005 · Container ServiceT1543.001 · Launch AgentT1543.004 · Launch DaemonT1543.002 · Systemd ServiceT1543.003 · Windows Service

Use cases covering this technique (15)

Cisco Isovalent - Late Process Execution ESCU actions · hunting P Cisco Isovalent - Nsenter Usage in Kubernetes Pod ESCU actions · hunting P Cisco Isovalent - Shell Execution ESCU actions · hunting P Clop Ransomware Known Service Name ESCU actions · alerting P LLM Model File Creation ESCU actions · hunting P MacOS Kextload Usage ESCU actions · alerting P Windows Local LLM Framework Execution ESCU actions · hunting P Windows Process Execution in Temp Dir ESCU actions · hunting P Windows Suspicious Process File Path ESCU actions · alerting P Wscript Or Cscript Suspicious Child Process ESCU actions · hunting P Suspicious Process File Path ESCU actions · alerting P [LLM] __DAEMONIZED=1 environment marker on spawned process Bespoke install · alerting DSΣPDDCS [LLM] UAT-8616 post-compromise on SD-WAN: SSH key add, NETCONF edit, su root, XMRig miner.sh Bespoke actions · alerting DSPDDCS [LLM] Sha1-Hulud npm Worm — Self-Hosted GitHub Actions Runner Registration with Name 'SHA1HULUD' Bespoke install · alerting DSΣPDD [LLM] Sha1-Hulud self-hosted GitHub Actions runner deployed under ~/.dev-env (SHA1HULUD) Bespoke install · alerting DSΣPDDCS

Articles citing this technique (4)

high Typosquatted npm packages used to steal cloud and CI/CD secrets art-183
crit Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities art-302
high How Harden Runner Detected the Sha1-Hulud Supply Chain Attack in CNCF's Backstage Repository art-652
high Sha1-Hulud: The Second Coming - Zapier, ENS Domains, and Other Prominent NPM Packages Compromised art-653