Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and Net.
PsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as PsExec and <code>sc.exe</code> can accept remote servers as arguments and may be used to conduct remote execution.
Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with Windows Service during service persistence or privilege escalation.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.05 | Remote access protection | Mitigates | T1569.002 | Service Execution |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1569.002 | Service Execution |
Comments
This diagnostic statement protects against Service Execution through the use of privileged account management and the use of multi-factor authentication.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1569.002 | Service Execution | |
| CM-06 | Configuration Settings | mitigates | T1569.002 | Service Execution | |
| CM-05 | Access Restrictions for Change | mitigates | T1569.002 | Service Execution | |
| SI-03 | Malicious Code Protection | mitigates | T1569.002 | Service Execution | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1569.002 | Service Execution | |
| CM-02 | Baseline Configuration | mitigates | T1569.002 | Service Execution | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1569.002 | Service Execution | |
| CM-07 | Least Functionality | mitigates | T1569.002 | Service Execution | |
| SI-04 | System Monitoring | mitigates | T1569.002 | Service Execution | |
| AC-02 | Account Management | mitigates | T1569.002 | Service Execution | |
| AC-03 | Access Enforcement | mitigates | T1569.002 | Service Execution | |
| AC-05 | Separation of Duties | mitigates | T1569.002 | Service Execution | |
| AC-06 | Least Privilege | mitigates | T1569.002 | Service Execution |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Use of stolen creds | Use of stolen or default authentication credentials (including credential stuffing) | related-to | T1569.002 | Service Execution | |
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1569.002 | Service Execution | |
| action.malware.vector.Direct install | Directly installed or inserted by threat agent (after system access) | related-to | T1569.002 | Service Execution |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1569.002 | Service Execution |
Comments
Google Security Ops is able to trigger alerts based off command-line arguments and suspicious system process that could indicate abuse of Windows system service to execute malicious commands or code (e.g., "*\\execute\.bat").
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/smbexec_py_service_installation.yaral
References
|