Common Information
| Type | Value |
|---|---|
| Value |
Service Execution - T1569.002 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039). [PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as [PsExec](https://attack.mitre.org/software/S0029) and <code>sc.exe</code> can accept remote servers as arguments and may be used to conduct remote execution. Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation. |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2021-04-08 | 54 | (Are you) afreight of the dark? Watch out for Vyveva, new Lazarus backdoor | WeLiveSecurity | ||
| Details | Website | 2021-04-06 | 71 | McAfee Defender’s Blog: Cuba Ransomware Campaign | McAfee Blog | ||
| Details | Website | 2021-03-24 | 10 | Hunting and detecting Cobalt Strike | ||
| Details | Website | 2021-03-16 | 92 | 日本の製造業を狙うTickグループ - セキュリティ事業 - マクニカ | ||
| Details | Website | 2021-02-25 | 161 | Lazarus targets defense industry with ThreatNeedle | ||
| Details | Website | 2021-02-25 | 190 | So Unchill: Melting UNC2198 ICEDID to Ransomware Operations | Mandiant | ||
| Details | Website | 2021-01-27 | 20 | CrimsonIAS: Listening for an 3v1l User | ||
| Details | Website | 2021-01-12 | 216 | Abusing cloud services to fly under the radar | ||
| Details | Website | 2021-01-12 | 215 | Abusing cloud services to fly under the radar | ||
| Details | Website | 2020-12-23 | 112 | Lazarus covets COVID-19-related intelligence | ||
| Details | Website | 2020-12-17 | 91 | Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations | CISA | ||
| Details | Website | 2020-12-16 | 43 | UNC2452 Threat Actor Group Threat Intel Advisory | Threat Intelligence | CloudSEK | ||
| Details | Website | 2020-12-14 | 220 | Carbanak/ FIN7 Crime Gang Threat Intel Advisory | Threat Intelligence | CloudSEK | ||
| Details | Website | 2020-12-13 | 49 | SolarWinds Supply Chain Attack Uses SUNBURST Backdoor | ||
| Details | Website | 2020-11-18 | 40 | Reversing Ryuk | ||
| Details | Website | 2020-10-28 | 34 | Turla/Belugasturgeon Compromises Government | Accenture | ||
| Details | Website | 2020-10-27 | 49 | North Korean Advanced Persistent Threat Focus: Kimsuky | CISA | ||
| Details | Website | 2020-10-13 | 80 | Lemon Duck brings cryptocurrency miners back into the spotlight | ||
| Details | Website | 2020-09-23 | 26 | Your best defense against ransomware: Find the early warning signs - Help Net Security | ||
| Details | Website | 2020-09-08 | 305 | ShadowPad: новая активность группировки Winnti | ||
| Details | Website | 2020-08-03 | 36 | McAfee Defender’s Blog: NetWalker | McAfee Blog | ||
| Details | Website | 2020-08-03 | 46 | Take a "NetWalk" on the Wild Side | McAfee Blog | ||
| Details | Website | 2020-07-23 | 39 | WastedLocker Ransomware: Abusing ADS and NTFS File Attributes - SentinelLabs | ||
| Details | Website | 2020-07-22 | 187 | Prometei botnet and its quest for Monero | ||
| Details | Website | 2020-06-18 | 76 | Digging up InvisiMole’s hidden arsenal | WeLiveSecurity |