Esc
Create or Modify System Process - T1543
(ATT&CK® Technique)
Definition
Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1543["Create or Modify System Process"] --> |modifies| SystemConfigurationDatabase["System Configuration Database"]; class T1543 OffensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode; click SystemConfigurationDatabase href "/dao/artifact/d3f:SystemConfigurationDatabase";
click T1543 href "/offensive-technique/attack/T1543/"; click SystemConfigurationDatabase href "/dao/artifact/d3f:SystemConfigurationDatabase"; T1543["Create or Modify System Process"] --> |creates| PropertyListFile["Property List File"]; class T1543 OffensiveTechniqueNode;
class PropertyListFile ArtifactNode; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile";
click T1543 href "/offensive-technique/attack/T1543/"; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile"; T1543["Create or Modify System Process"] --> |may-create| OperatingSystemConfigurationFile["Operating System Configuration File"]; class T1543 OffensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode; click OperatingSystemConfigurationFile href "/dao/artifact/d3f:OperatingSystemConfigurationFile";
click T1543 href "/offensive-technique/attack/T1543/"; click OperatingSystemConfigurationFile href "/dao/artifact/d3f:OperatingSystemConfigurationFile"; T1543["Create or Modify System Process"] --> |may-modify| OperatingSystemConfigurationFile["Operating System Configuration File"]; class T1543 OffensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode; click OperatingSystemConfigurationFile href "/dao/artifact/d3f:OperatingSystemConfigurationFile";
click T1543 href "/offensive-technique/attack/T1543/"; click OperatingSystemConfigurationFile href "/dao/artifact/d3f:OperatingSystemConfigurationFile"; T1543["Create or Modify System Process"] --> |modifies| PropertyListFile["Property List File"]; class T1543 OffensiveTechniqueNode;
class PropertyListFile ArtifactNode; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile";
click T1543 href "/offensive-technique/attack/T1543/"; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1543["Create or Modify System Process"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | PropertyListFile["Property List File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; DecoyFile["Decoy File"] -->
| spoofs | PropertyListFile["Property List File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1543["Create or Modify System Process"] ;
class DecoyFile DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | OperatingSystemConfigurationFile["Operating System Configuration File"];
class DecoyFile DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; FileEviction["File Eviction"] -->
| deletes | PropertyListFile["Property List File"];
FileEviction["File Eviction"] -.->
| may-evict | T1543["Create or Modify System Process"] ;
class FileEviction DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | OperatingSystemConfigurationFile["Operating System Configuration File"];
class FileEviction DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; SystemConfigurationPermissions["System Configuration Permissions"] -->
| restricts | SystemConfigurationDatabase["System Configuration Database"];
SystemConfigurationPermissions["System Configuration Permissions"] -.->
| may-harden | T1543["Create or Modify System Process"] ;
class SystemConfigurationPermissions DefensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode;
click SystemConfigurationPermissions href "/technique/d3f:SystemConfigurationPermissions"; FileEncryption["File Encryption"] -->
| encrypts | OperatingSystemConfigurationFile["Operating System Configuration File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1543["Create or Modify System Process"] ;
class FileEncryption DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | PropertyListFile["Property List File"];
class FileEncryption DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] -->
| restricts | PropertyListFile["Property List File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1543["Create or Modify System Process"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | OperatingSystemConfigurationFile["Operating System Configuration File"];
class LocalFilePermissions DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RestoreFile["Restore File"] -->
| restores | OperatingSystemConfigurationFile["Operating System Configuration File"];
RestoreFile["Restore File"] -.->
| may-restore | T1543["Create or Modify System Process"] ;
class RestoreFile DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreDatabase["Restore Database"] -->
| restores | SystemConfigurationDatabase["System Configuration Database"];
RestoreDatabase["Restore Database"] -.->
| may-restore | T1543["Create or Modify System Process"] ;
class RestoreDatabase DefensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode;
click RestoreDatabase href "/technique/d3f:RestoreDatabase"; RestoreFile["Restore File"] -->
| restores | PropertyListFile["Property List File"];
class RestoreFile DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; SystemFileAnalysis["System File Analysis"] -->
| analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"];
SystemFileAnalysis["System File Analysis"] -.->
| may-detect | T1543["Create or Modify System Process"] ;
class SystemFileAnalysis DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click SystemFileAnalysis href "/technique/d3f:SystemFileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | PropertyListFile["Property List File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1543["Create or Modify System Process"] ;
class FileAnalysis DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"];
class FileAnalysis DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | OperatingSystemConfigurationFile["Operating System Configuration File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1543["Create or Modify System Process"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | PropertyListFile["Property List File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";