T1569.002: T1569.002

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 10/03/2020 19:33 · Modified 27/03/2026 01:12

Essential information

MITRE technique ID: T1569.002
Confidence: 100/100
Revoked: No
Published: 10/03/2020 19:33
Modified: 27/03/2026 01:12
Author / Source: The MITRE Corporation

Aliases

Service Execution

Platforms

windows

Description

Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (`services.exe`) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and [Net](https://attack.mitre.org/software/S0039). [PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as [PsExec](https://attack.mitre.org/software/S0029) and `sc.exe` can accept remote servers as arguments and may be used to conduct remote execution. Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.

Kill chain phases

Kill chain	Phase
mitre-attack	execution

Marking (TLP)

External references

Russinovich Sysinternals
mitre-attack (T1569.002)
Microsoft Service Control Manager

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (54)

Winnti uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC6485 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Daggerfly uses BRONZE HIGHLANDEvasive Panda

The MITRE Corporation Confidence 100

[Daggerfly](https://attack.mitre.org/groups/G1034) is a People's Republic of China-linked APT entity active since at least 2012. [Daggerfly](https://attack.mitre.org/groups/G1034) has targeted individuals, government and NGO entities, and telecommunication companies in Asia and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
AsyncRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
INC uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
GrayAlpha uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
IronErn440 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Curly COMrades uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC6201 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Locky uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CL-CRI-1014 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 54

SevexKiller uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
HRSword uses

Family
TeamViewer uses

Family
BeaverTail uses

Family
CorKLOG uses

Family
adware uses

Family
Terndoor uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Agamemnon downloader uses

Family
QDoor uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BurnsRAT uses

Family
Win.Trojan.Prometei-8977166-0 uses
RagnarLocker uses

Family

← Previous

Page / 7

1–12 of 76

ClickFix Campaign Generated Via AI Delivers SmartRAT related

AlienVault Confidence 100 20 MITREs 4 Malwares 9 IOCs 9 Observables
From emerging threat to top-tier ransomware-as-a-service: The evolution … related

AlienVault Confidence 100 4 CVEs 19 MITREs 4 Malwares 25 IOCs 25 Observables 1 APT
Attackers Weaponize Microsoft Teams Relays to Stay Hidden related

AlienVault Confidence 100 3 CVEs 18 MITREs 2 Malwares 26 IOCs 26 Observables 1 APT
The Gentlemen ransomware: Dissecting a self-propagating Go encryptor related

19 MITREs 2 Malwares 2 Observables 1 APT
APT Targets Azerbaijani Oil and Gas Industry related

5 CVEs 20 MITREs 3 Malwares 2 Observables 1 APT
Popular Go Decimal Library Targeted by Long-Running Typosquat … related

AlienVault Confidence 100 15 MITREs 3 IOCs 3 Observables
Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline … related

AlienVault Confidence 100 20 MITREs 16 Malwares 42 IOCs 42 Observables 1 APT
Komari Red: The Monitoring Tool with a Built-in … related

AlienVault Confidence 100 19 MITREs 1 Malware 2 IOCs 2 Observables
Kyber Ransomware Double Trouble: Windows and ESXi Attacks … related

19 MITREs 1 Malware 3 Observables 1 APT
Highly destructive Lotus Wiper used in a targeted … related

19 MITREs 1 Malware
The Gentlemen & SystemBC: A Sneak Peek Behind … related

46 MITREs 6 Malwares 27 Observables 1 APT
CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran related

AlienVault Confidence 100 19 MITREs 1 Malware 7 IOCs 7 Observables 1 APT

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (66)

CVE-2022-41082 KEV targets

8.0 High

Microsoft Exchange Server contains an unspecified vulnerability that allows for authenticated remote code execution. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41040 …

Attack vector: Adjacent
Published: 30/09/2022
Modified: 20/12/2025

CVE-2025-59718 targets

9.8 Critical

A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS …

Published: 09/12/2025
Modified: 17/12/2025

Analyzed

CVE-2026-24858 targets

9.8 Critical

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, …

Published: 27/01/2026
Modified: 28/01/2026

Analyzed

CVE-2025-53770 KEV targets

9.8 Critical

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware …

Attack vector: Network
Published: 20/07/2025
Modified: 21/12/2025

Analyzed

CVE-2021-34523 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2024-40711 KEV targets

9.8 Critical

Veeam Backup and Replication contains a deserialization vulnerability allowing an unauthenticated user to perform remote code execution.

Attack vector: Network
Published: 17/10/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2025-61155 targets

5.5 Medium

The GameDriverX64.sys kernel-mode anti-cheat driver (v7.23.4.7 and earlier) contains an access control vulnerability in one of its IOCTL handlers. A user-mode process …

Attack vector: LOCAL
Published: 28/10/2025
Modified: 30/01/2026

Received

CVE-2024-57727 KEV targets

7.5 High

SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary …

Attack vector: Network
Published: 13/02/2025
Modified: 21/12/2025

Modified

CVE-2021-31207 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for security feature bypass.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2024-51324 targets

3.8 Low

An issue in the BdApiUtil driver of Baidu Antivirus v5.2.3.116083 allows attackers to terminate arbitrary process via executing a BYOVD (Bring Your …

Attack vector: NETWORK
Published: 11/02/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2024-36401 KEV targets

9.8 Critical

OSGeo GeoServer GeoTools contains an improper neutralization of directives in dynamically evaluated code vulnerability due to unsafely evaluating property names as XPath …

Attack vector: Network
Published: 15/07/2024
Modified: 21/12/2025

CVE-2018-0802 KEV targets

Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code …

Published: 03/11/2021
Modified: 20/12/2025

← Previous

Page / 6

25–36 of 66

T1569 subtechnique-of

System Services MITRE

Campaign (2)

SharePoint ToolShell Exploitation uses
APT41 DUST uses

Tool (3)

PsExec uses

The MITRE Corporation Confidence 100

[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS…
xCmd uses

The MITRE Corporation Confidence 100

[xCmd](https://attack.mitre.org/software/S0123) is an open source tool that is similar to [PsExec](https://attack.mitre.org/software/S0029) and allows the user to execute applications on remote systems. (Citation: xCmd)
PoshC2 uses

The MITRE Corporation Confidence 100

[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while…

Course Of Action (1)

Privileged Account Management mitigates

Contact About Legal notice Privacy policy Terms of use