Common Information
| Type | Value |
|---|---|
| Value |
Service Execution - T1569.002 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039). [PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as [PsExec](https://attack.mitre.org/software/S0029) and <code>sc.exe</code> can accept remote servers as arguments and may be used to conduct remote execution. Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation. |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2020-06-17 | 37 | Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies | WeLiveSecurity | ||
| Details | Website | 2020-05-14 | 52 | Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia | WeLiveSecurity | ||
| Details | Website | 2020-05-13 | 66 | Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks | WeLiveSecurity | ||
| Details | Website | 2020-05-01 | 53 | Tales From the Trenches; a Lockbit Ransomware Story | McAfee Blog | ||
| Details | Website | 2020-04-02 | 189 | Nemty Ransomware - Learning by Doing | McAfee Blog | ||
| Details | Website | 2020-02-27 | 79 | “Higaisa(黑格莎)”组织近期攻击活动报告 | ||
| Details | Website | 2019-12-02 | 15 | God save the queen [...] 'cause ransom is money - savethequeen encryptor | ||
| Details | Website | 2019-11-05 | 6 | Buran Ransomware; the Evolution of VegaLocker | McAfee Blog | ||
| Details | Website | 2019-10-17 | 37 | Operation Ghost: The Dukes aren’t back – they never left | WeLiveSecurity | ||
| Details | Website | 2019-10-10 | 41 | ESET discovers Attor, a spy platform with curious GSM fingerprinting | WeLiveSecurity | ||
| Details | Website | 2019-08-14 | 252 | In the Balkans, businesses are under fire from a double‑barreled weapon | WeLiveSecurity | ||
| Details | Website | 2019-06-20 | 115 | LoudMiner: Cross‑platform mining in cracked VST software | WeLiveSecurity | ||
| Details | Website | 2018-12-21 | 118 | The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc | ||
| Details | Website | 2018-10-30 | 93 | Fallout Exploit Kit Releases the Kraken Ransomware on Its Victims | McAfee Blog | ||
| Details | Website | 2018-04-25 | 30 | Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide | ||
| Details | Website | 2018-03-08 | 25 | Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant | McAfee Blog | ||
| Details | Website | 2018-03-02 | 70 | McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups | McAfee Blog | ||
| Details | Website | 2017-05-14 | 36 | WCry/WanaCry ransomware technical analysis |