T1569.002 Service Execution Mappings

Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and Net.

PsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals)

Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with Windows Service during service persistence or privilege escalation.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1569.002 Service Execution
AC-3 Access Enforcement Protects T1569.002 Service Execution
AC-5 Separation of Duties Protects T1569.002 Service Execution
AC-6 Least Privilege Protects T1569.002 Service Execution
CA-7 Continuous Monitoring Protects T1569.002 Service Execution
CM-2 Baseline Configuration Protects T1569.002 Service Execution
CM-5 Access Restrictions for Change Protects T1569.002 Service Execution
CM-6 Configuration Settings Protects T1569.002 Service Execution
CM-7 Least Functionality Protects T1569.002 Service Execution
IA-2 Identification and Authentication (organizational Users) Protects T1569.002 Service Execution
SI-3 Malicious Code Protection Protects T1569.002 Service Execution
SI-4 System Monitoring Protects T1569.002 Service Execution
SI-7 Software, Firmware, and Information Integrity Protects T1569.002 Service Execution
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1569.002 System Services: Service Execution
action.malware.vector.Direct install Directly installed or inserted by threat agent (after system access) related-to T1569.002 System Services: Service Execution