MITRE ATT&CK Technique
Description
Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Registry. Service configurations can be modified using utilities such as sc.exe and [Reg](https://attack.mitre.org/software/S0075). Adversaries can modify an existing service to persist malware on a system by using system utilities or by using custom tools to interact with the Windows API. Use of existing services is a type of [Masquerading](https://attack.mitre.org/techniques/T1036) that may make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used. Adversaries may also intentionally corrupt or kill services to execute malicious recovery programs/commands. (Citation: Twitter Service Recovery Nov 2017) (Citation: Microsoft Service Recovery Feb 2013)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:30:34.928Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Windows service configuration information, including the file '
"path to the service's executable or recovery "
'programs/commands, is stored in the Registry. Service '
'configurations can be modified using utilities such as sc.exe '
'and [Reg](https://attack.mitre.org/software/S0075).\n'
'\n'
'Adversaries can modify an existing service to persist malware '
'on a system by using system utilities or by using custom '
'tools to interact with the Windows API. Use of existing '
'services is a type of '
'[Masquerading](https://attack.mitre.org/techniques/T1036) '
'that may make detection analysis more challenging. Modifying '
'existing services may interrupt their functionality or may '
'enable services that are disabled or otherwise not commonly '
'used.\n'
'\n'
'Adversaries may also intentionally corrupt or kill services '
'to execute malicious recovery programs/commands. (Citation: '
'Twitter Service Recovery Nov 2017) (Citation: Microsoft '
'Service Recovery Feb 2013)',
'external_references': [{'external_id': 'T1031',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1031'},
{'external_id': 'CAPEC-551',
'source_name': 'capec',
'url': 'https://capec.mitre.org/data/definitions/551.html'},
{'description': 'The Cyber (@r0wdy_). (2017, November '
'30). Service Recovery Parameters. '
'Retrieved April 9, 2018.',
'source_name': 'Twitter Service Recovery Nov 2017',
'url': 'https://twitter.com/r0wdy_/status/936365549553991680'},
{'description': 'Microsoft. (2013, February 22). Set '
'up Recovery Actions to Take Place '
'When a Service Fails. Retrieved '
'April 9, 2018.',
'source_name': 'Microsoft Service Recovery Feb 2013',
'url': 'https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753662(v=ws.11)'},
{'description': 'Russinovich, M. (2016, January 4). '
'Autoruns for Windows v13.51. '
'Retrieved June 6, 2016.',
'source_name': 'TechNet Autoruns',
'url': 'https://technet.microsoft.com/en-us/sysinternals/bb963902'}],
'id': 'attack-pattern--62dfd1ca-52d5-483c-a84b-d6e80bf94b7b',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:48:51.635Z',
'name': 'Modify Existing Service',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Travis Smith, Tripwire',
'Matthew Demaske, Adaptforward'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.1'}