T1569.002: T1569.002

Search IOCs, vulnerabilities, APT…

216.73.216.226

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 10/03/2020 19:33 · Modified 27/03/2026 01:12

Essential information

MITRE technique ID: T1569.002
Confidence: 100/100
Revoked: No
Published: 10/03/2020 19:33
Modified: 27/03/2026 01:12
Author / Source: The MITRE Corporation

Aliases

Service Execution

Platforms

windows

Description

Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (`services.exe`) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and [Net](https://attack.mitre.org/software/S0039). [PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as [PsExec](https://attack.mitre.org/software/S0029) and `sc.exe` can accept remote servers as arguments and may be used to conduct remote execution. Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.

Kill chain phases

Kill chain	Phase
mitre-attack	execution

Marking (TLP)

External references

Russinovich Sysinternals
mitre-attack (T1569.002)
Microsoft Service Control Manager

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (54)

Winnti uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC6485 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Daggerfly uses BRONZE HIGHLANDEvasive Panda

The MITRE Corporation Confidence 100

[Daggerfly](https://attack.mitre.org/groups/G1034) is a People's Republic of China-linked APT entity active since at least 2012. [Daggerfly](https://attack.mitre.org/groups/G1034) has targeted individuals, government and NGO entities, and telecommunication companies in Asia and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
AsyncRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
INC uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
GrayAlpha uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
IronErn440 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Curly COMrades uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC6201 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Locky uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CL-CRI-1014 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 54

SevexKiller uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
HRSword uses

Family
TeamViewer uses

Family
BeaverTail uses

Family
CorKLOG uses

Family
adware uses

Family
Terndoor uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Agamemnon downloader uses

Family
QDoor uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BurnsRAT uses

Family
Win.Trojan.Prometei-8977166-0 uses
RagnarLocker uses

Family

← Previous

Page / 7

1–12 of 76

ClickFix Campaign Generated Via AI Delivers SmartRAT related

AlienVault Confidence 100 20 MITREs 4 Malwares 9 IOCs 9 Observables
From emerging threat to top-tier ransomware-as-a-service: The evolution … related

AlienVault Confidence 100 4 CVEs 19 MITREs 4 Malwares 25 IOCs 25 Observables 1 APT
Attackers Weaponize Microsoft Teams Relays to Stay Hidden related

AlienVault Confidence 100 3 CVEs 18 MITREs 2 Malwares 26 IOCs 26 Observables 1 APT
The Gentlemen ransomware: Dissecting a self-propagating Go encryptor related

19 MITREs 2 Malwares 2 Observables 1 APT
APT Targets Azerbaijani Oil and Gas Industry related

5 CVEs 20 MITREs 3 Malwares 2 Observables 1 APT
Popular Go Decimal Library Targeted by Long-Running Typosquat … related

AlienVault Confidence 100 15 MITREs 3 IOCs 3 Observables
Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline … related

AlienVault Confidence 100 20 MITREs 16 Malwares 42 IOCs 42 Observables 1 APT
Komari Red: The Monitoring Tool with a Built-in … related

AlienVault Confidence 100 19 MITREs 1 Malware 2 IOCs 2 Observables
Kyber Ransomware Double Trouble: Windows and ESXi Attacks … related

19 MITREs 1 Malware 3 Observables 1 APT
Highly destructive Lotus Wiper used in a targeted … related

19 MITREs 1 Malware
The Gentlemen & SystemBC: A Sneak Peek Behind … related

46 MITREs 6 Malwares 27 Observables 1 APT
CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran related

AlienVault Confidence 100 19 MITREs 1 Malware 7 IOCs 7 Observables 1 APT

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (66)

CVE-2024-23897 KEV targets

9.8 Critical

Jenkins Command Line Interface (CLI) contains a path traversal vulnerability that allows attackers limited read access to certain files, which can lead …

Attack vector: Network
Published: 19/08/2024
Modified: 21/12/2025

CVE-2024-50050 targets

6.3 Medium

Llama Stack prior to revision 7a8aa775e5a267cf8660d83140011a0b7f91e005 used pickle as a serialization format for socket communication, potentially allowing for remote code execution. Socket …

Attack vector: NETWORK
Published: 23/10/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2021-26855 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2022-41352 KEV targets

9.8 Critical

Synacor Zimbra Collaboration Suite (ZCS) allows an attacker to upload arbitrary files using cpio package to gain incorrect access to any other …

Attack vector: Network
Published: 20/10/2022
Modified: 20/12/2025

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2025-59719 targets

9.8 Critical

An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an …

Published: 09/12/2025
Modified: 09/12/2025

Analyzed

CVE-2025-21042 targets

CVE-2025-59287 KEV targets

9.8 Critical

Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution.

Attack vector: Network
Published: 24/10/2025
Modified: 21/12/2025

Undergoing Analysis

CVE-2025-53868 targets

8.5 High

When running in Appliance mode, a highly privileged authenticated attacker with access to SCP and SFTP may be able to bypass Appliance …

Attack vector: Network
Published: 15/10/2025
Modified: 04/02/2026

Received

CVE-2025-49704 KEV targets

8.8 High

Microsoft SharePoint contains a code injection vulnerability that could allow an authorized attacker to execute code over a network. This vulnerability could …

Attack vector: Network
Published: 22/07/2025
Modified: 21/12/2025

CVE-2025-49596 targets

9.4 Critical

The MCP inspector is a developer tool for testing and debugging MCP servers. Versions of MCP Inspector below 0.14.1 are vulnerable to …

Published: 20/12/2025
Modified: 21/12/2025

Received

CVE-2025-53771 targets

6.5 Medium

Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing …

Attack vector: NETWORK
Published: 21/07/2025
Modified: 21/12/2025

Received

← Previous

Page / 6

49–60 of 66

T1569 subtechnique-of

System Services MITRE

Campaign (2)

SharePoint ToolShell Exploitation uses
APT41 DUST uses

Tool (3)

PsExec uses

The MITRE Corporation Confidence 100

[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS…
xCmd uses

The MITRE Corporation Confidence 100

[xCmd](https://attack.mitre.org/software/S0123) is an open source tool that is similar to [PsExec](https://attack.mitre.org/software/S0029) and allows the user to execute applications on remote systems. (Citation: xCmd)
PoshC2 uses

The MITRE Corporation Confidence 100

[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while…

Course Of Action (1)

Privileged Account Management mitigates

Contact About Legal notice Privacy policy Terms of use