Description
Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and Net.
PsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as PsExec and sc.exe can accept remote servers as arguments and may be used to conduct remote execution.
Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with Windows Service during service persistence or privilege escalation.
Platforms
Mitigations (3)
Privileged Account ManagementM1026
Ensure that permissions disallow services that run at a higher permissions level from being created or interacted with by a user with a lower permission level.
Behavior Prevention on EndpointM1040
On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by PsExec from running. (Citation: win10_asr)
Restrict File and Directory PermissionsM1022
Ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level.
Threat Groups (16)
| ID | Group | Context |
|---|---|---|
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used [PsExec](https://attack.mitre.org/software/S0029) to deploy beacons on compromised systems.(... |
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used post-exploitation tools including RemCom and the Non-sucking Service Manager (NSSM) to execute... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has started the SSH service by executing `sc start sshd`.(Citation: BlackBerry_FIN7_April2024) |
| G1032 | INC Ransom | [INC Ransom](https://attack.mitre.org/groups/G1032) has run a file encryption executable via `Service Control Manager/7045;winupd,%SystemRoot%\winupd.... |
| G1047 | Velvet Ant | [Velvet Ant](https://attack.mitre.org/groups/G1047) executed and installed [PlugX](https://attack.mitre.org/software/S0013) as a Windows service.(Cita... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) used svchost.exe and [Net](https://attack.mitre.org/software/S0039) to execute a system service instal... |
| G0091 | Silence | [Silence](https://attack.mitre.org/groups/G0091) has used [Winexe](https://attack.mitre.org/software/S0191) to install a service on the remote system.... |
| G0004 | Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) has used a tool known as RemoteExec (similar to [PsExec](https://attack.mitre.org/software/S0029)) t... |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has utilized [PsExec](https://attack.mitre.org/software/S0029) to execute scripts and commands w... |
| G0108 | Blue Mockingbird | [Blue Mockingbird](https://attack.mitre.org/groups/G0108) has executed custom-compiled XMRIG miner DLLs by configuring them to execute via the "wercpl... |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050)'s backdoor has used Windows services as a way to execute its malicious payload. (Citation: ESET OceanLo... |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) created malicious services for ransomware execution.(Citation: Symantec BlackByte 2022)(Citation: C... |
| G0037 | FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has created Windows services to execute encoded PowerShell commands.(Citation: FireEye FIN6 Apr 2019) |
| G1036 | Moonstone Sleet | [Moonstone Sleet](https://attack.mitre.org/groups/G1036) used intermediate loader malware such as YouieLoader and SplitLoader that create malicious se... |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has created new services or modified existing ones to run executables, commands, or scripts.(Citation: ... |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used `services.exe` to execute scripts and executables during lateral movement within a vic... |
Associated Software (51)
| ID | Name | Type | Context |
|---|---|---|---|
| S0192 | Pupy | Tool | [Pupy](https://attack.mitre.org/software/S0192) uses [PsExec](https://attack.mitre.org/software/S0029) to execute a payload or commands on a remote ho... |
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) tries to elevate privileges to <code>SYSTEM</code> using PsExec to locally execute as a service, s... |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can use [PsExec](https://attack.mitre.org/software/S0029) to execute a payload on a remote ho... |
| S0260 | InvisiMole | Malware | [InvisiMole](https://attack.mitre.org/software/S0260) has used Windows services as a way to execute its malicious payload.(Citation: ESET InvisiMole J... |
| S0203 | Hydraq | Malware | [Hydraq](https://attack.mitre.org/software/S0203) uses svchost.exe to execute a malicious DLL included in a new service group.(Citation: Symantec Hydr... |
| S1063 | Brute Ratel C4 | Tool | [Brute Ratel C4](https://attack.mitre.org/software/S1063) can create Windows system services for execution.(Citation: Palo Alto Brute Ratel July 2022... |
| S0368 | NotPetya | Malware | [NotPetya](https://attack.mitre.org/software/S0368) can use [PsExec](https://attack.mitre.org/software/S0029) to help propagate itself across a networ... |
| S0166 | RemoteCMD | Malware | [RemoteCMD](https://attack.mitre.org/software/S0166) can execute commands remotely by creating a new service on the remote system.(Citation: Symantec ... |
| S0698 | HermeticWizard | Malware | [HermeticWizard](https://attack.mitre.org/software/S0698) can use `OpenRemoteServiceManager` to create a service.(Citation: ESET Hermetic Wizard March... |
| S0668 | TinyTurla | Malware | [TinyTurla](https://attack.mitre.org/software/S0668) can install itself as a service on compromised machines.(Citation: Talos TinyTurla September 2021... |
| S0606 | Bad Rabbit | Malware | [Bad Rabbit](https://attack.mitre.org/software/S0606) drops a file named <code>infpub.dat</code>into the Windows directory and is executed through SCM... |
| S0481 | Ragnar Locker | Malware | [Ragnar Locker](https://attack.mitre.org/software/S0481) has used sc.exe to execute a service that it creates.(Citation: Sophos Ragnar May 2020) |
| S0378 | PoshC2 | Tool | [PoshC2](https://attack.mitre.org/software/S0378) contains an implementation of [PsExec](https://attack.mitre.org/software/S0029) for remote execution... |
| S1060 | Mafalda | Malware | [Mafalda](https://attack.mitre.org/software/S1060) can create a remote service, let it run once, and then delete it.(Citation: SentinelLabs Metador Te... |
| S1202 | LockBit 3.0 | Malware | [LockBit 3.0](https://attack.mitre.org/software/S1202) can use [PsExec](https://attack.mitre.org/software/S0029) to execute commands and payloads.(Cit... |
| S0123 | xCmd | Tool | [xCmd](https://attack.mitre.org/software/S0123) can be used to execute binaries on remote systems by creating and starting a service.(Citation: xCmd) |
| S0191 | Winexe | Tool | [Winexe](https://attack.mitre.org/software/S0191) installs a service on the remote system, executes the command, then uninstalls the service.(Citation... |
| S0127 | BBSRAT | Malware | [BBSRAT](https://attack.mitre.org/software/S0127) can start, stop, or delete services.(Citation: Palo Alto Networks BBSRAT) |
| S0660 | Clambling | Malware | [Clambling](https://attack.mitre.org/software/S0660) can create and start services on a compromised host.(Citation: Trend Micro DRBControl February 20... |
| S0238 | Proxysvc | Malware | [Proxysvc](https://attack.mitre.org/software/S0238) registers itself as a service on the victim’s machine to run as a standalone process.(Citation: Mc... |
References
- Microsoft. (2018, May 31). Service Control Manager. Retrieved March 28, 2020.
- Russinovich, M. (2014, May 2). Windows Sysinternals PsExec v2.11. Retrieved May 13, 2015.
Frequently Asked Questions
What is T1569.002 (Service Execution)?
T1569.002 is a MITRE ATT&CK technique named 'Service Execution'. It belongs to the Execution tactic(s). Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manip...
How can T1569.002 be detected?
Detection of T1569.002 (Service Execution) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1569.002?
There are 3 documented mitigations for T1569.002. Key mitigations include: Privileged Account Management, Behavior Prevention on Endpoint, Restrict File and Directory Permissions.
Which threat groups use T1569.002?
Known threat groups using T1569.002 include: Chimera, APT39, FIN7, INC Ransom, Velvet Ant, APT41, Silence, Ke3chang.