T1569.002 Service Execution Mappings

Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and Net.

PsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as PsExec and <code>sc.exe</code> can accept remote servers as arguments and may be used to conduct remote execution.

Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with Windows Service during service persistence or privilege escalation.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-02 Account Management Protects T1569.002 Service Execution
AC-03 Access Enforcement Protects T1569.002 Service Execution
AC-05 Separation of Duties Protects T1569.002 Service Execution
AC-06 Least Privilege Protects T1569.002 Service Execution
CA-07 Continuous Monitoring Protects T1569.002 Service Execution
CM-02 Baseline Configuration Protects T1569.002 Service Execution
CM-05 Access Restrictions for Change Protects T1569.002 Service Execution
CM-06 Configuration Settings Protects T1569.002 Service Execution
CM-07 Least Functionality Protects T1569.002 Service Execution
IA-02 Identification and Authentication (organizational Users) Protects T1569.002 Service Execution
SI-03 Malicious Code Protection Protects T1569.002 Service Execution
SI-04 System Monitoring Protects T1569.002 Service Execution
SI-07 Software, Firmware, and Information Integrity Protects T1569.002 Service Execution