1. Home
  2. ATT&CK Techniques
  3. T1569.002 Service Execution

T1569.002 Service Execution

Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and Net.

PsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as PsExec and <code>sc.exe</code> can accept remote servers as arguments and may be used to conduct remote execution.

Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with Windows Service during service persistence or privilege escalation.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-01.05 Remote access protection Mitigates T1569.002 Service Execution
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
    PR.AA-05.02 Privileged system access Mitigates T1569.002 Service Execution
    Comments
    This diagnostic statement protects against Service Execution through the use of privileged account management and the use of multi-factor authentication.
    References

      NIST 800-53 Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      CA-07 Continuous Monitoring mitigates T1569.002 Service Execution
      CM-06 Configuration Settings mitigates T1569.002 Service Execution
      CM-05 Access Restrictions for Change mitigates T1569.002 Service Execution
      SI-03 Malicious Code Protection mitigates T1569.002 Service Execution
      SI-07 Software, Firmware, and Information Integrity mitigates T1569.002 Service Execution
      CM-02 Baseline Configuration mitigates T1569.002 Service Execution
      IA-02 Identification and Authentication (Organizational Users) mitigates T1569.002 Service Execution
      CM-07 Least Functionality mitigates T1569.002 Service Execution
      SI-04 System Monitoring mitigates T1569.002 Service Execution
      AC-02 Account Management mitigates T1569.002 Service Execution
      AC-03 Access Enforcement mitigates T1569.002 Service Execution
      AC-05 Separation of Duties mitigates T1569.002 Service Execution
      AC-06 Least Privilege mitigates T1569.002 Service Execution

      Known Exploited Vulnerabilities Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      CVE-2021-35394 Realtek Jungle SDK Remote Code Execution Vulnerability secondary_impact T1569.002 Service Execution
      Comments
      The vulnerability in Realtek Jungle chipsets is exploited by remote, unauthenticated attackers using UDP packets to a server on port 9034, enabling remote execution of arbitrary commands. The attack involves injecting a shell command that downloads and executes a shell script on the compromised device. This script downloads binaries for various CPU architectures, such as ARM, MIPS, and SuperH, primarily from the Mirai malware family, turning the device into a botnet node. The attack script connects to a malicious IP to download and execute malware, with threats mainly from Mirai, Gafgyt, and Mozi families. It also includes a new DDoS botnet called RedGoBot, developed in Golang. The script uses wget and curl to download botnet clients for different processor architectures. RedGoBot can perform DDoS attacks on various protocols, including HTTP, ICMP, TCP, UDP, VSE, and OpenVPN, upon receiving commands from the threat operator. Additionally, injected commands can write binary payloads to files for execution or reboot the targeted server to cause denial of service.
      References
      1. https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/
      2. https://blogs.juniper.net/en-us/threat-research/realtek-cve-2021-35394-exploited-in-the-wild

      VERIS Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1569.002 Service Execution
      action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1569.002 Service Execution
      action.malware.vector.Direct install Directly installed or inserted by threat agent (after system access) related-to T1569.002 Service Execution

      Azure Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      microsoft_sentinel Microsoft Sentinel technique_scores T1569.002 Service Execution
      Comments
      The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can use PsExec to execute a payload on a remote host, but does not address other procedures.
      References
      1. https://learn.microsoft.com/en-us/azure/sentinel/overview
      2. https://learn.microsoft.com/en-us/azure/sentinel/hunting

      GCP Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      google_secops Google Security Operations technique_scores T1569.002 Service Execution
      Comments
      Google Security Ops is able to trigger alerts based off command-line arguments and suspicious system process that could indicate abuse of Windows system service to execute malicious commands or code (e.g., "*\\execute\.bat"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/smbexec_py_service_installation.yaral
      References
      1. ['https://cloud.google.com/security/products/security-operations'
      2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
      3. 'https://github.com/chronicle/detection-rules']

      M365 Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      DEF-ID-E5 Microsoft Defender for Identity Technique Scores T1569.002 Service Execution
      Comments
      This control's "Remote code execution attempt (external ID 2019)" alert can detect Remote code execution via Psexec. This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers. Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage.
      References