T1569.002: Service Execution
| View on MITRE ATT&CK | T1569.002 |
|---|---|
| Tactic(s) | Execution |
Data from MITRE ATT&CK®:
Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and Net.
PsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as PsExec and sc.exe can accept remote servers as arguments and may be used to conduct remote execution.
Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with Windows Service during service persistence or privilege escalation.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day
Reporting from Mandiant which discusses the exploitation of Pulse Secure VPN devices in 2021 and 12 malware families associated with the campaign. ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
APT41 Has Arisen From the DUST
This report from Mandiant outlines APT41 activity observed since 2023 including successful compromises of logistic, media, technology and ...
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed ...
The Updated APT Playbook: Tales from the Kimsuky threat actor group
This article by researchers at Rapid7 discusses recent activity by North Korean intrusion set 'Kimsuky'. Kimsuky is primarily focused on ...
GhostSec’s joint ransomware operation and evolution of their arsenal
This Threat Spotlight from Cisco Talos describes the evolution of GhostSec's ransomware operations including their work with the Stormous ...
Threat Assessment: Black Basta Ransomware
This threat assessment from Palo Alto's Unit 42 describes the Black Basta 'Ransomware as a Service' operation including TTPs (tactics, techniques ...
Ransomware Spotlight: Black Basta
This report from Trend Micro outlines tactics, techniques and procedures used by the Black Basta Ransomware group. According to the report, Black ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Behavior Prevention on Endpoint
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.Restrict File and Directory Permissions
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.How to detect this technique
MITRE ATT&CK Data Components
Service Creation (Service)
Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)Network Traffic Flow (Network Traffic)
Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)Windows Registry Key Modification (Windows Registry)
Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Sigma Detections for this Technique
PsExec Service Installation
smbexec.py Service Installation
RemCom Service Installation
CSExec Service Installation
PUA - NSudo Execution
DNS Events Related To Mining Pools
PUA - CSExec Default Named Pipe
Remote Server Service Abuse for Lateral Movement
CSExec Service File Creation
PowerShell Scripts Installed as Services - Security
Remote Access Tool Services Have Been Installed - Security
Remote Access Tool Services Have Been Installed - System
CobaltStrike Service Installations - System
PAExec Service Installation
PUA - NirCmd Execution As LOCAL SYSTEM
PUA - NirCmd Execution
PowerShell as a Service in Registry
Credential Dumping Tools Service Execution - System
PSExec and WMI Process Creations Block
PUA - RunXCmd Execution
HackTool - SharpUp PrivEsc Tool Execution
Credential Dumping Tools Service Execution - Security
Rundll32 Execution Without Parameters
Potential CobaltStrike Service Installations - Registry
ProcessHacker Privilege Elevation
RemCom Service File Creation
PUA - RemCom Default Named Pipe
PsExec Tool Execution From Suspicious Locations - PipeName
Sliver C2 Default Service Installation
PowerShell Scripts Installed as Services
Malicious Service Installations
Metasploit Or Impacket Service Installation Via SMB PsExec
CobaltStrike Service Installations - Security
PsExec Service File Creation
Start Windows Service Via Net.EXE
PUA - PAExec Default Named Pipe
HackTool Service Registration or Execution
PUA - CsExec Execution
MITRE BZAR Indicators for Execution
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.