System Services: Service Execution, Sub-technique T1569.002 - Enterprise (original) (raw)
Anchor can create and execute services to load its payload.[3][4]
APT32's backdoor has used Windows services as a way to execute its malicious payload. [5]
APT39 has used post-exploitation tools including RemCom and the Non-sucking Service Manager (NSSM) to execute processes.[6][7]
APT41 used Net to execute a system service installed to launch a Cobalt Strike BEACON loader.[8]
Attor's dispatcher can be executed as a service.[9]
BBSRAT can start, stop, or delete services.[10]
Blue Mockingbird has executed custom-compiled XMRIG miner DLLs by configuring them to execute via the "wercplsupport" service.[11]
Cobalt Strike can use PsExec to execute a payload on a remote host. It can also use Service Control Manager to start new services.[12][13]
Empire can use PsExec to execute a payload on a remote host.[14]
FIN6 has created Windows services to execute encoded PowerShell commands.[15]
gh0st RAT can execute its service if the Service key exists. If the key does not exist, gh0st RAT will create and run the service.[16]
Honeybee launches a DLL file that gets executed as a service using svchost.exe[17]
HOPLIGHT has used svchost.exe to execute a malicious DLL .[18]
Hydraq uses svchost.exe to execute a malicious DLL included in a new service group.[19]
HyperBro has the ability to start and stop a specified service.[20]
Impacket contains various modules emulating other service execution tools such as PsExec.[21]
InvisiMole has used Windows services as a way to execute its malicious payload.[22]
Ke3chang has used a tool known as RemoteExec (similar to PsExec) to remotely execute batch scripts and binaries.[23]
Koadic can run a command on another machine using PsExec.[24]
LoudMiner started the cryptomining virtual machine as a service on the infected machine.[25]
The net start and net stop commands can be used in Net to execute or stop Windows services.[26]
Net Crawler uses PsExec to perform remote service manipulation to execute a copy of itself as part of lateral movement.[27]
Operators deploying Netwalker have used psexec and certutil to retrieve the Netwalker payload.[28]
NotPetya can use PsExec to help propagate itself across a network.[29][30]
Okrum's loader can create a new service named NtmsSvc to execute the payload.[31]
Olympic Destroyer utilizes PsExec to help propagate itself across a network.[32]
PoshC2 contains an implementation of PsExec for remote execution.[33]
Proxysvc registers itself as a service on the victim’s machine to run as a standalone process.[34]
Microsoft Sysinternals PsExec is a popular administration tool that can be used to execute binaries on remote systems using a temporary Windows service.[2]
Pupy uses PsExec to execute a payload or commands on a remote host.[35]
Ragnar Locker has used sc.exe to execute a service that it creates.[36]
RemoteCMD can execute commands remotely by creating a new service on the remote system.[37]
Shamoon creates a new service named "ntssrv" to execute the payload. Shamoon can also spread via PsExec.[38][39]
Silence has used Winexe to install a service on the remote system.[40][41]
StrongPity can install a service to execute itself as a service.[42][43]
Winexe installs a service on the remote system, executes the command, then uninstalls the service.[44]
Wingbird uses services.exe to register a new autostart service named "Audit Service" using a copy of the local lsass.exe file.[45][46]
Wizard Spider has used services.exe to execute scripts and executables during lateral movement within a victim network.[47][48]
xCmd can be used to execute binaries on remote systems by creating and starting a service.[49]