EXPLORE
Sign In
← Back to Explore
T1569.002

Service Execution

Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039). [PsExec](https://attack.mitre.org/software/S0029) can also b...

Windows
63
Detections
3
Sources
16
Threat Actors

BY SOURCE

39sigma13elastic11splunk_escu

PROCEDURES (29)

Service8 detections

Auto-extracted: 8 detections for service

Process Creation Monitoring6 detections

Auto-extracted: 6 detections for process creation monitoring

Lateral5 detections

Auto-extracted: 5 detections for lateral

Registry3 detections

Auto-extracted: 3 detections for registry

Persist3 detections

Auto-extracted: 3 detections for persist

Powershell3 detections

Auto-extracted: 3 detections for powershell

Service3 detections

Auto-extracted: 3 detections for service

General Monitoring3 detections

Auto-extracted: 3 detections for general monitoring

Remote2 detections

Auto-extracted: 2 detections for remote

Persist2 detections

Auto-extracted: 2 detections for persist

Ransomware2 detections

Auto-extracted: 2 detections for ransomware

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Beacon2 detections

Auto-extracted: 2 detections for beacon

Credential2 detections

Auto-extracted: 2 detections for credential

Privilege2 detections

Auto-extracted: 2 detections for privilege

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Event Log1 detections

Auto-extracted: 1 detections for event log

Privilege1 detections

Auto-extracted: 1 detections for privilege

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Remote1 detections

Auto-extracted: 1 detections for remote

Beacon1 detections

Auto-extracted: 1 detections for beacon

Remote1 detections

Auto-extracted: 1 detections for remote

Lateral1 detections

Auto-extracted: 1 detections for lateral

Service1 detections

Auto-extracted: 1 detections for service

Persist1 detections

Auto-extracted: 1 detections for persist

Privilege1 detections

Auto-extracted: 1 detections for privilege

Event Log1 detections

Auto-extracted: 1 detections for event log

THREAT ACTORS (16)

APT32APT38APT39APT41BlackByteBlue MockingbirdChimeraFIN6FIN7INC RansomKe3changMedusa GroupMoonstone SleetSilenceVelvet AntWizard Spider

DETECTIONS (63)

CobaltStrike Service Installations - Security
sigmahigh
CobaltStrike Service Installations - System
sigmacritical
Credential Dumping Tools Service Execution - Security
sigmahigh
Credential Dumping Tools Service Execution - System
sigmahigh
CSExec Service File Creation
sigmamedium
CSExec Service Installation
sigmamedium
Detect Renamed PSExec
splunk_escu
DNS Events Related To Mining Pools
sigmalow
Excessive Usage Of SC Service Utility
splunk_escu
First Time Seen Running Windows Service
splunk_escu
HackTool - SharpUp PrivEsc Tool Execution
sigmacritical
HackTool Service Registration or Execution
sigmahigh
Linux Auditd Service Started
splunk_escu
Malicious Powershell Executed As A Service
splunk_escu
Metasploit Or Impacket Service Installation Via SMB PsExec
sigmahigh
MITRE BZAR Indicators for Execution
sigmamedium
PAExec Service Installation
sigmamedium
Potential CobaltStrike Service Installations - Registry
sigmahigh
Potential Privilege Escalation via Service ImagePath Modification
elasticmedium
PowerShell as a Service in Registry
sigmahigh
PowerShell Scripts Installed as Services
sigmahigh
PowerShell Scripts Installed as Services - Security
sigmahigh
ProcessHacker Privilege Elevation
sigmahigh
PSExec and WMI Process Creations Block
sigmahigh
PsExec Network Connection
elasticlow
PsExec Service File Creation
sigmalow
PsExec Service Installation
sigmamedium
PsExec Tool Execution From Suspicious Locations - PipeName
sigmamedium
PUA - CSExec Default Named Pipe
sigmamedium
PUA - CsExec Execution
sigmahigh
PUA - NirCmd Execution
sigmamedium
PUA - NirCmd Execution As LOCAL SYSTEM
sigmahigh
PUA - NSudo Execution
sigmahigh
PUA - PAExec Default Named Pipe
sigmamedium
PUA - RemCom Default Named Pipe
sigmamedium
PUA - RunXCmd Execution
sigmahigh
RemCom Service File Creation
sigmamedium
RemCom Service Installation
sigmamedium
Remote Access Tool Services Have Been Installed - Security
sigmamedium
Remote Access Tool Services Have Been Installed - System
sigmamedium
Remote Server Service Abuse for Lateral Movement
sigmahigh
Remote Windows Service Installed
elasticmedium
Remotely Started Services via RPC
elasticmedium
Rundll32 Execution Without Parameters
sigmahigh
Service Command Lateral Movement
elasticlow
Service Control Spawned via Script Interpreter
elasticlow
Sliver C2 Default Service Installation
sigmahigh
smbexec.py Service Installation
sigmahigh
Start Windows Service Via Net.EXE
sigmalow
Suspicious Process Execution via Renamed PsExec Executable
elasticmedium
Svchost spawning Cmd
elasticlow
System Shells via Services
elasticmedium
Systemd Service Started by Unusual Parent Process
elasticlow
Unsigned DLL Loaded by Svchost
elasticmedium
Unusual Process For a Windows Host
elasticlow
Unusual Windows Service
elasticlow
WFP Filter Added via Registry
sigmamedium
Windows ScManager Security Descriptor Tampering Via Sc.EXE
splunk_escu
Windows Service Create SliverC2
splunk_escu
Windows Service Created with Suspicious Service Name
splunk_escu
Windows Service Created with Suspicious Service Path
splunk_escu
Windows Service Execution RemCom
splunk_escu
Windows Snake Malware Service Create
splunk_escu