Technique on mitre.org

T1569.002: Service Execution

Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services. The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and Net.

PsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API. Tools such as PsExec and sc.exe can accept remote servers as arguments and may be used to conduct remote execution.

Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with Windows Service during service persistence or privilege escalation.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mssql_database: PT-CR-425: MSSQL_Windows_Service_Control: An attempt to change a Windows service state from a database mitre_attck_execution: PT-CR-257: Windows_Service_Installed: An attempt to install a new service from non-system Windows directories is detected mitre_attck_execution: PT-CR-217: Execute_PSEXEC: Detection of attempts to start the administrative utility PsExec or similar utilities mitre_attck_execution: PT-CR-1962: Remote_Registry_Enable: Possible start of the Remote Registry service to remotely change the values of Windows registry keys, which can be used for lateral movement mitre_attck_execution: PT-CR-778: Hidden_Service_Create: Creation of a hidden service from the registry without using the CreateService function is detected mitre_attck_persistence: PT-CR-271: Service_Created_Or_Modified: An attempt to perform operations on Microsoft Windows services using the command line or PowerShell is detected mitre_attck_lateral_movement: PT-CR-1981: SVCCTL_Connection: Remote connection to the Service Control Manager via svcctl that allows remote management of Windows services mitre_attck_lateral_movement: PT-CR-226: Remoting_Impacket_PsExec: Remote code execution using Impacket PsExec is detected mitre_attck_lateral_movement: PT-CR-215: Remoting_WinExec: Detected using WinExec utility (Kali) for remote command execution mitre_attck_lateral_movement: PT-CR-1752: Service_From_Remote_File_Creation: A service was created from a network directory mitre_attck_lateral_movement: PT-CR-589: Remoting_SysInternals_PsExec: Remote code execution using Sysinternals Suite PsExec is detected mitre_attck_lateral_movement: PT-CR-785: Modify_And_Start_Remote_Service: An attempt to use code execution or lateral movement by changing a system service startup command is detected hacking_tools: PT-CR-1356: Sliver_PsExec: Sliver PsExec module start from the C2 framework Sliver is detected hacking_tools: PT-CR-523: Remote_Connection_Through_SMBEXEC_WinXP: Detection of attempts to exploit SMBExec for persistence hacking_tools: PT-CR-1838: NimExec_Activity: The activity of the NimExec tool used to remotely execute commands is detected

Detection

ID	DS0029	Data source and component	Network Traffic: Network Traffic Flow	Description	Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

ID	DS0019	Data source and component	Service: Service Creation	Description	Monitor newly constructed services that abuse control manager to execute malicious commands or payloads.

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Modification	Description	Monitor for changes made to windows registry keys and/or values that may abuse the Windows service control manager to execute malicious commands or payloads.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for newly executed processes that may abuse the Windows service control manager to execute malicious commands or payloads. Events 4688 (Microsoft Windows Security Auditing) and 1 (Microsoft Windows Sysmon) provide context of Windows processes creation that can be used to implement this detection. This detection is based on uncommon process and parent process relationships. Service Control Manager spawning command shell is a good starting point. Add more suspicious relationships based on the reality of your network environment. In order to reduce false positives, you can also filter the CommandLine event field using parameters such as /c which carries out the command specified by the parent process. Analytic 1 - Service Execution `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") \| WHERE Image LIKE "services.exe" AND Image LIKE "cmd.exe"`

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that may abuse the Windows service control manager to execute malicious commands or payloads.

ID	Data source and component	Description
DS0029	Network Traffic: Network Traffic Flow	Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.
DS0019	Service: Service Creation	Monitor newly constructed services that abuse control manager to execute malicious commands or payloads.
DS0024	Windows Registry: Windows Registry Key Modification	Monitor for changes made to windows registry keys and/or values that may abuse the Windows service control manager to execute malicious commands or payloads.
DS0009	Process: Process Creation	Monitor for newly executed processes that may abuse the Windows service control manager to execute malicious commands or payloads. Events 4688 (Microsoft Windows Security Auditing) and 1 (Microsoft Windows Sysmon) provide context of Windows processes creation that can be used to implement this detection. This detection is based on uncommon process and parent process relationships. Service Control Manager spawning command shell is a good starting point. Add more suspicious relationships based on the reality of your network environment. In order to reduce false positives, you can also filter the CommandLine event field using parameters such as /c which carries out the command specified by the parent process. Analytic 1 - Service Execution `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") \| WHERE Image LIKE "services.exe" AND Image LIKE "cmd.exe"`
DS0017	Command: Command Execution	Monitor executed commands and arguments that may abuse the Windows service control manager to execute malicious commands or payloads.

Mitigation

ID	M1026	Name	Privileged Account Management	Description	Ensure that permissions disallow services that run at a higher permissions level from being created or interacted with by a user with a lower permission level.

ID	M1040	Name	Behavior Prevention on Endpoint	Description	On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by PsExec from running.

ID	M1022	Name	Restrict File and Directory Permissions	Description	Ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level.

ID	Name	Description
M1026	Privileged Account Management	Ensure that permissions disallow services that run at a higher permissions level from being created or interacted with by a user with a lower permission level.
M1040	Behavior Prevention on Endpoint	On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by PsExec from running.
M1022	Restrict File and Directory Permissions	Ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level.