T1569.002: T1569.002

Search IOCs, vulnerabilities, APT…

216.73.217.98

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 10/03/2020 19:33 · Modified 27/03/2026 01:12

Essential information

MITRE technique ID: T1569.002
Confidence: 100/100
Revoked: No
Published: 10/03/2020 19:33
Modified: 27/03/2026 01:12
Author / Source: The MITRE Corporation

Aliases

Service Execution

Platforms

windows

Description

Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (`services.exe`) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and [Net](https://attack.mitre.org/software/S0039). [PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as [PsExec](https://attack.mitre.org/software/S0029) and `sc.exe` can accept remote servers as arguments and may be used to conduct remote execution. Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.

Kill chain phases

Kill chain	Phase
mitre-attack	execution

Marking (TLP)

External references

Russinovich Sysinternals
mitre-attack (T1569.002)
Microsoft Service Control Manager

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (54)

BlackJack related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BlackSuit related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BladedFeline related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Blue Mockingbird related

The MITRE Corporation Confidence 100

[Blue Mockingbird](https://attack.mitre.org/groups/G0108) is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Chimera related

The MITRE Corporation Confidence 100

[Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline…

First seen 01/01/1970 · Last seen 16/11/5138 ·
China-nexus threat actors related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CoughingDown related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CrazyHunter related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DeadLock related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DragonBreath related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DragonForce related

Ransomware.Live Confidence 100

No description available

First seen 01/01/1970 · Last seen 16/11/5138 ·
Earth Longzhi related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

25–36 of 54

SevexKiller uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
HRSword uses

Family
TeamViewer uses

Family
BeaverTail uses

Family
CorKLOG uses

Family
adware uses

Family
Terndoor uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Agamemnon downloader uses

Family
QDoor uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BurnsRAT uses

Family
Win.Trojan.Prometei-8977166-0 uses
RagnarLocker uses

Family

← Previous

Page / 7

1–12 of 76

Post-Exploitation Activities Observed from the Samsung MagicINFO 9 … related

7 MITREs
Fake Zoom Ends in BlackSuit Ransomware related

32 MITREs 6 Malwares

← Previous

Page / 5

49–50 of 50

Vulnerabilities (CVE) (66)

CVE-2025-61955 targets

8.5 High

A vulnerability exists in F5OS-A and F5OS-C systems that may allow an authenticated attacker with local access to escalate their privileges. A …

Attack vector: LOCAL
Published: 15/10/2025
Modified: 21/12/2025

Received

CVE-2025-66478 targets

Rejected reason: This CVE is a duplicate of CVE-2025-55182.

Published: 20/12/2025
Modified: 21/12/2025

Rejected

CVE-2023-52271 targets

6.5 Medium

The wsftprm.sys kernel driver 2.0.0.0 in Topaz Antifraud allows low-privileged attackers to kill any (Protected Process Light) process via an IOCTL (which …

Attack vector: LOCAL
Published: 08/01/2024
Modified: 16/06/2026

CVE-2021-40449 KEV targets

Unspecified vulnerability allows for an authenticated user to escalate privileges.

Published: 17/11/2021
Modified: 21/12/2025

CVE-2019-0797 KEV targets

Microsoft Win32k contains a privilege escalation vulnerability when the Win32k component fails to properly handle objects in memory. Successful exploitation allows an …

Published: 03/11/2021
Modified: 29/05/2026

CVE-2025-52906 targets

9.3 Critical

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection.This issue …

Published: 24/09/2025
Modified: 24/09/2025

Received

CVE-2025-31324 KEV targets

10.0 Critical

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …

Attack vector: Network
Published: 29/04/2025
Modified: 21/12/2025

Received

CVE-2021-34473 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution.

Published: 03/11/2021
Modified: 29/05/2026

CVE-2023-48022 targets

9.8 Critical

Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position …

Attack vector: NETWORK
Published: 28/11/2023
Modified: 21/12/2025

CVE-2026-1340 KEV targets

9.8 Critical

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.

Attack vector: NETWORK
Complexity: LOW
Published: 29/01/2026
Modified: 10/04/2026

CWE-94 Received

CVE-2025-0282 KEV targets

9.0 Critical

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA …

Attack vector: Network
Published: 08/01/2025
Modified: 21/12/2025

Analyzed

CVE-2026-1281 KEV targets

9.8 Critical

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.

Attack vector: NETWORK
Published: 29/01/2026
Modified: 27/03/2026

Analyzed

← Previous

Page / 6

13–24 of 66

T1569 subtechnique-of

System Services MITRE

Campaign (2)

SharePoint ToolShell Exploitation uses
APT41 DUST uses

Tool (3)

PsExec uses

The MITRE Corporation Confidence 100

[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS…
xCmd uses

The MITRE Corporation Confidence 100

[xCmd](https://attack.mitre.org/software/S0123) is an open source tool that is similar to [PsExec](https://attack.mitre.org/software/S0029) and allows the user to execute applications on remote systems. (Citation: xCmd)
PoshC2 uses

The MITRE Corporation Confidence 100

[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while…

Course Of Action (1)

Privileged Account Management mitigates

Contact About Legal notice Privacy policy Terms of use