Service Execution
Service Execution [T1569.002]
Information
Introduction
Service Execution (T1569.002) is a sub-technique within the MITRE ATT&CK framework under the broader category of System Services (T1569). This sub-technique encompasses adversary behaviors involving the abuse or misuse of legitimate system services to execute commands or malicious payloads. Attackers exploit services such as Windows services, Linux daemons, or other operating system service mechanisms to maintain persistence, escalate privileges, or execute malicious code. The use of legitimate services helps adversaries blend into normal system operations, making detection and attribution more challenging.
Deep Dive Into Technique
Adversaries leveraging Service Execution typically exploit legitimate functionality offered by system services across various operating systems (Windows, Linux, macOS) to execute malicious payloads or commands. Technical details include:
Windows Services:
Attackers may create new malicious services using tools like
sc.exe,powershell.exe, or registry modifications.Existing services can be modified to execute malicious binaries or scripts.
Commonly abused Windows services include
svchost.exe,services.exe, and scheduled tasks running as system services.Persistence is often established by setting malicious services to automatically start with system boot.
Linux Daemons and Systemd Services:
Attackers may create or modify systemd
.servicefiles located in/etc/systemd/system/or/lib/systemd/system/.Malicious scripts or binaries can be executed with root privileges through systemd or init scripts.
Attackers may leverage cron jobs or init scripts located in
/etc/init.d/to execute payloads at boot or specific intervals.
macOS LaunchDaemons:
Malicious actors may create or modify
plistfiles in/Library/LaunchDaemons/or/Library/LaunchAgents/.These files can automatically execute malware at startup or user login with elevated privileges.
Execution Mechanisms:
Adversaries commonly use command-line utilities (
sc.exe,systemctl,launchctl) to manage services.Scripts (PowerShell, Bash, Python) are often leveraged to automate service creation or modification.
Malicious payloads executed via services often run with elevated privileges, increasing the potential impact.
Real-world Procedures:
Attackers commonly combine this sub-technique with privilege escalation exploits, credential dumping, or lateral movement.
Malware families such as TrickBot, Emotet, and Lazarus Group tools have leveraged service execution to achieve persistence and stealthy execution.
When this Technique is Usually Used
Adversaries commonly employ Service Execution in multiple stages of the cyber kill chain, including:
Persistence:
Creating or modifying services ensures malware or backdoors survive system reboots.
Ensures continued access to compromised systems for prolonged periods.
Privilege Escalation:
Exploiting services running with elevated privileges (SYSTEM/root) allows attackers to escalate privileges.
Manipulating service configurations or binaries to gain higher-level access.
Execution:
Leveraging legitimate service processes to execute malicious payloads, reducing suspicion and detection likelihood.
Enhances stealth by blending malicious activities within normal system operations.
Lateral Movement:
Attackers can remotely create or manipulate services on other hosts within the network using compromised credentials.
Facilitates rapid propagation across networked systems.
Defense Evasion:
Using legitimate services and processes helps evade traditional antivirus and endpoint detection tools.
Malicious activity masked by normal system service behavior complicates forensic analysis.
How this Technique is Usually Detected
Detection of Service Execution (T1569.002) involves monitoring and analyzing system-level events, service configurations, and process behaviors. Common detection methods and indicators of compromise (IoCs) include:
Event Log Monitoring:
Windows Security Event Logs (Event ID 4697 - Service Creation, Event ID 7045 - Service Installation).
Linux system logs (
/var/log/syslog,/var/log/messages) for changes in systemd or init scripts.macOS Unified Logs and system logs for new LaunchDaemons or LaunchAgents.
Endpoint Detection and Response (EDR):
Monitoring processes (
sc.exe,systemctl,launchctl) used to create or modify services.Behavioral analysis detecting anomalous service creation or modification events.
File Integrity Monitoring (FIM):
Detecting unauthorized changes to service configuration files (
.service,.plist, or registry entries).Monitoring binary paths and hashes associated with critical services.
Indicators of Compromise (IoCs):
Suspicious service names or descriptions that mimic legitimate services.
Services pointing to binaries located in unusual directories (
%TEMP%,/tmp/, user directories).Newly created services with unusual startup parameters (automatic, delayed, or manual).
Unexpectedly stopped or disabled legitimate services.
SIEM and Centralized Logging:
Aggregation of logs and correlation rules to identify suspicious patterns of service manipulation.
Alerting on anomalous behaviors such as rapid service creation or modification across multiple endpoints.
Why it is Important to Detect This Technique
Early detection of Service Execution is critical due to the significant potential impact on organizations. Key reasons include:
Persistence and Long-term Compromise:
Undetected malicious services can persist indefinitely, providing attackers continuous access and control.
Early detection prevents prolonged unauthorized access and reduces dwell time.
Privilege Escalation and Elevated Access:
Malicious services often execute with elevated privileges, allowing attackers to further compromise sensitive data and critical systems.
Detection can prevent attackers from escalating privileges and limit potential damage.
Stealth and Defense Evasion:
Leveraging legitimate services complicates detection and forensic analysis.
Identifying malicious services early prevents attackers from blending into normal system operations and evading security controls.
Rapid Lateral Movement:
Attackers frequently use service execution to propagate rapidly across internal networks.
Prompt detection and response limit lateral movement and reduce the scope of compromise.
Data Exfiltration and System Damage:
Malicious services can facilitate data theft, ransomware deployment, and sabotage of critical business operations.
Early detection mitigates the risk of severe operational disruption and data breaches.
Examples
Real-world examples of adversaries leveraging Service Execution (T1569.002) include:
APT32 (OceanLotus):
Created malicious Windows services to execute backdoors and maintain persistence.
Utilized
sc.exeto install services pointing to malicious binaries stored in hidden directories.
Lazarus Group:
Leveraged systemd services on Linux servers to execute cryptocurrency mining malware persistently.
Created
.servicefiles in/etc/systemd/system/pointing to malicious scripts or binaries.
TrickBot Malware:
Frequently created malicious Windows services to execute payloads and establish persistent access.
Used randomized service names and placed malicious executables in legitimate-looking directories.
FIN7 Cybercriminal Group:
Created persistent Windows services to execute Cobalt Strike payloads and maintain long-term access.
Leveraged malicious PowerShell scripts to automate service creation and modification.
Emotet Malware:
Utilized Windows services to execute payloads and maintain persistence across system reboots.
Created services with deceptive names mimicking legitimate Windows processes or services.
In each scenario, adversaries leveraged service execution to achieve persistence, privilege escalation, stealthy execution, and lateral movement. Detection and mitigation of these malicious services were crucial in containing and remediating the compromise.
Last updated
Was this helpful?