Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and Net.
PsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals)
Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with Windows Service during service persistence or privilege escalation.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1569.002 | Service Execution | |
| AC-3 | Access Enforcement | Protects | T1569.002 | Service Execution | |
| AC-5 | Separation of Duties | Protects | T1569.002 | Service Execution | |
| AC-6 | Least Privilege | Protects | T1569.002 | Service Execution | |
| CA-7 | Continuous Monitoring | Protects | T1569.002 | Service Execution | |
| CM-2 | Baseline Configuration | Protects | T1569.002 | Service Execution | |
| CM-5 | Access Restrictions for Change | Protects | T1569.002 | Service Execution | |
| CM-6 | Configuration Settings | Protects | T1569.002 | Service Execution | |
| CM-7 | Least Functionality | Protects | T1569.002 | Service Execution | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1569.002 | Service Execution | |
| SI-3 | Malicious Code Protection | Protects | T1569.002 | Service Execution | |
| SI-4 | System Monitoring | Protects | T1569.002 | Service Execution | |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1569.002 | Service Execution |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_sentinel | Azure Sentinel | technique_scores | T1569.002 | Service Execution |
Comments
The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can use PsExec to execute a payload on a remote host, but does not address other procedures.
References
|
| microsoft_defender_for_identity | Microsoft Defender for Identity | technique_scores | T1569.002 | Service Execution |
Comments
This control's "Remote code execution attempt (external ID 2019)" alert can detect Remote code execution via Psexec. This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers. Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage.
References
|