Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and Net.
PsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals)
Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with Windows Service during service persistence or privilege escalation.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1569.002 | Service Execution | |
| AC-3 | Access Enforcement | Protects | T1569.002 | Service Execution | |
| AC-5 | Separation of Duties | Protects | T1569.002 | Service Execution | |
| AC-6 | Least Privilege | Protects | T1569.002 | Service Execution | |
| CA-7 | Continuous Monitoring | Protects | T1569.002 | Service Execution | |
| CM-2 | Baseline Configuration | Protects | T1569.002 | Service Execution | |
| CM-5 | Access Restrictions for Change | Protects | T1569.002 | Service Execution | |
| CM-6 | Configuration Settings | Protects | T1569.002 | Service Execution | |
| CM-7 | Least Functionality | Protects | T1569.002 | Service Execution | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1569.002 | Service Execution | |
| SI-3 | Malicious Code Protection | Protects | T1569.002 | Service Execution | |
| SI-4 | System Monitoring | Protects | T1569.002 | Service Execution | |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1569.002 | Service Execution |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality | related-to | T1569.002 | System Services: Service Execution | |
| action.malware.vector.Direct install | Directly installed or inserted by threat agent (after system access) | related-to | T1569.002 | System Services: Service Execution |