Windows Services
Location:
HKLM\SYSTEM\CurrentControlSet\Services
Classification:
| Criteria | Value |
|---|---|
| Permissions | Admin |
| Security context | System |
| Persistence type | Registry |
| Code type | EXE, DLL, Other |
| Launch type | Automatic |
| Impact | Non-destructive |
| OS Version | All OS versions |
| Dependencies | OS only |
| Toolset | Scriptable1 |
Description:
Windows Services are one of the best known and widely used persistence mechanisms. EXE-based approach is best known, but DLLs loaded by svchost.exe are used (also by malicious actors) as well.
Oficially, the DLL must be indicated within the Parameters subkey, but in practice it is not required, making the detection a bit harder.2
References:
Credits:
See also:
Remarks:
-
Also remotely with
sc.exe↩