- Tactics
- Execution
- Platforms
- Windows, macOS, Linux
- Reference
- attack.mitre.org/techniques/T1569
Description
Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence (Create or Modify System Process), but adversaries can also abuse services for one-time or temporary execution.
Sub-techniques
How GTK Cyber trains on this
GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the Execution tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.
Related techniques
- T1047 — Windows Management Instrumentation
- T1053 — Scheduled Task/Job
- T1059 — Command and Scripting Interpreter
- T1072 — Software Deployment Tools
- T1106 — Native API
- T1127 — Trusted Developer Utilities Proxy Execution
- T1129 — Shared Modules
- T1197 — BITS Jobs
- T1203 — Exploitation for Client Execution
- T1204 — User Execution
- T1559 — Inter-Process Communication
- T1574 — Hijack Execution Flow