# T1569: Service Execution Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services. The service control manager is accessible to users via GUI components as well as system utilities as sc.exe and Net. PsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API. Adversaries may leverage these mechanisms to execute malicious content. This can be done either executing a new or modified service. This technique is the execution used in conjunction with Windows Service during service persistence or privilege escalation. Example: An example as mentioned previously is we can use PsExec. Psexec drops a binary into the $ADMIN SMB Share and uses service.exe to execute that binary and gain execution But to run PsExec first we need to meet certain requirements such as: 1\. **Server Message Block** (SMB) must be available and reachable. i.e. not blocked by firewall. 2\. **"File and Print Sharing"** must be enabled. 3\. **"Simple File Sharing"** must be disabled. 4\. **Admin$** share must be available and accessible. (Admin$ share is a hidden SMB share that maps to the Windows directory, and is intended for software deployments. The creds supplied to PSEXEC must be able to access the Admin$ share.) An example of PsExec running for the first time by using the "-accepteula" parameter that creates a Registry Key so be careful when leaving tracks. Also this will elevate our permissions to SYSTEM. ![](/files/-MRkAf8-KnTFbvp__NFB) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/execution/t1569-service-execution.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.