TIARAS - T1050: New Service

MITRE ATT&CK Technique

Persistence T1050

Description

When operating systems boot up, they can start programs or applications called services that perform background system functions. (Citation: TechNet Services) A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry. Adversaries may install a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry. The service name may be disguised by using a name from a related operating system or benign software with [Masquerading](https://attack.mitre.org/techniques/T1036). Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1035).

Supported Platforms

Windows

Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data

{'created': '2017-05-31T21:30:45.613Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'When operating systems boot up, they can start programs or '
                'applications called services that perform background system '
                "functions. (Citation: TechNet Services) A service's "
                'configuration information, including the file path to the '
                "service's executable, is stored in the Windows Registry. \n"
                '\n'
                'Adversaries may install a new service that can be configured '
                'to execute at startup by using utilities to interact with '
                'services or by directly modifying the Registry. The service '
                'name may be disguised by using a name from a related '
                'operating system or benign software with '
                '[Masquerading](https://attack.mitre.org/techniques/T1036). '
                'Services may be created with administrator privileges but are '
                'executed under SYSTEM privileges, so an adversary may also '
                'use a service to escalate privileges from administrator to '
                'SYSTEM. Adversaries may also directly start services through '
                '[Service '
                'Execution](https://attack.mitre.org/techniques/T1035).',
 'external_references': [{'external_id': 'T1050',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1050'},
                         {'external_id': 'CAPEC-550',
                          'source_name': 'capec',
                          'url': 'https://capec.mitre.org/data/definitions/550.html'},
                         {'description': 'Microsoft. (n.d.). Services. '
                                         'Retrieved June 7, 2016.',
                          'source_name': 'TechNet Services',
                          'url': 'https://technet.microsoft.com/en-us/library/cc772408.aspx'},
                         {'description': 'Miroshnikov, A. & Hall, J. (2017, '
                                         'April 18). 4697(S): A service was '
                                         'installed in the system. Retrieved '
                                         'August 7, 2018.',
                          'source_name': 'Microsoft 4697 APR 2017',
                          'url': 'https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697'},
                         {'description': 'Hardy, T. & Hall, J. (2018, February '
                                         '15). Use Windows Event Forwarding to '
                                         'help with intrusion detection. '
                                         'Retrieved August 7, 2018.',
                          'source_name': 'Microsoft Windows Event Forwarding '
                                         'FEB 2018',
                          'url': 'https://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection'},
                         {'description': 'Russinovich, M. (2016, January 4). '
                                         'Autoruns for Windows v13.51. '
                                         'Retrieved June 6, 2016.',
                          'source_name': 'TechNet Autoruns',
                          'url': 'https://technet.microsoft.com/en-us/sysinternals/bb963902'}],
 'id': 'attack-pattern--478aa214-2ca7-4ec0-9978-18798e514790',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'persistence'},
                       {'kill_chain_name': 'mitre-attack',
                        'phase_name': 'privilege-escalation'}],
 'modified': '2025-10-24T17:48:43.848Z',
 'name': 'New Service',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': True,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Pedro Harrison'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Windows'],
 'x_mitre_version': '1.1'}

Quick Actions

Edit TTP Update from Web

Back to TTPs

Dashboard About