T1569: Service Execution

Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services. The service control manager is accessible to users via GUI components as well as system utilities as sc.exe and Net.

PsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.

Adversaries may leverage these mechanisms to execute malicious content. This can be done either executing a new or modified service. This technique is the execution used in conjunction with Windows Service during service persistence or privilege escalation.


An example as mentioned previously is we can use PsExec. Psexec drops a binary into the $ADMIN SMB Share and uses service.exe to execute that binary and gain execution

But to run PsExec first we need to meet certain requirements such as:

1. Server Message Block (SMB) must be available and reachable. i.e. not blocked by firewall.

2. "File and Print Sharing" must be enabled.

3. "Simple File Sharing" must be disabled.

4. Admin$ share must be available and accessible. (Admin$ share is a hidden SMB share that maps to the Windows directory, and is intended for software deployments. The creds supplied to PSEXEC must be able to access the Admin$ share.)

An example of PsExec running for the first time by using the "-accepteula" parameter that creates a Registry Key so be careful when leaving tracks. Also this will elevate our permissions to SYSTEM.

Last updated