T1569.002: T1569.002

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 10/03/2020 19:33 · Modified 27/03/2026 01:12

Essential information

MITRE technique ID: T1569.002
Confidence: 100/100
Revoked: No
Published: 10/03/2020 19:33
Modified: 27/03/2026 01:12
Author / Source: The MITRE Corporation

Aliases

Service Execution

Platforms

windows

Description

Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (`services.exe`) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and [Net](https://attack.mitre.org/software/S0039). [PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as [PsExec](https://attack.mitre.org/software/S0029) and `sc.exe` can accept remote servers as arguments and may be used to conduct remote execution. Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.

Kill chain phases

Kill chain	Phase
mitre-attack	execution

Marking (TLP)

External references

Russinovich Sysinternals
mitre-attack (T1569.002)
Microsoft Service Control Manager

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (54)

Winnti uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC6485 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Daggerfly uses BRONZE HIGHLANDEvasive Panda

The MITRE Corporation Confidence 100

[Daggerfly](https://attack.mitre.org/groups/G1034) is a People's Republic of China-linked APT entity active since at least 2012. [Daggerfly](https://attack.mitre.org/groups/G1034) has targeted individuals, government and NGO entities, and telecommunication companies in Asia and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
AsyncRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
INC uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
GrayAlpha uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
IronErn440 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Curly COMrades uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC6201 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Locky uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CL-CRI-1014 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 54

SevexKiller uses

Family
HRSword uses

Family
TeamViewer uses

Family
BeaverTail uses

Family
CorKLOG uses

Family
adware uses

Family
Terndoor uses

Family
Agamemnon downloader uses

Family
QDoor uses

Family
BurnsRAT uses

Family
Win.Trojan.Prometei-8977166-0 uses
RagnarLocker uses

Family

← Previous

Page / 7

1–12 of 76

ClickFix Campaign Generated Via AI Delivers SmartRAT related

AlienVault Confidence 100 20 MITREs 4 Malwares 9 IOCs 9 Observables
From emerging threat to top-tier ransomware-as-a-service: The evolution … related

AlienVault Confidence 100 4 CVEs 19 MITREs 4 Malwares 25 IOCs 25 Observables 1 APT
Attackers Weaponize Microsoft Teams Relays to Stay Hidden related

AlienVault Confidence 100 3 CVEs 18 MITREs 2 Malwares 26 IOCs 26 Observables 1 APT
The Gentlemen ransomware: Dissecting a self-propagating Go encryptor related

19 MITREs 2 Malwares 2 Observables 1 APT
APT Targets Azerbaijani Oil and Gas Industry related

5 CVEs 20 MITREs 3 Malwares 2 Observables 1 APT
Popular Go Decimal Library Targeted by Long-Running Typosquat … related

AlienVault Confidence 100 15 MITREs 3 IOCs 3 Observables
Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline … related

AlienVault Confidence 100 20 MITREs 16 Malwares 42 IOCs 42 Observables 1 APT
Komari Red: The Monitoring Tool with a Built-in … related

AlienVault Confidence 100 19 MITREs 1 Malware 2 IOCs 2 Observables
Kyber Ransomware Double Trouble: Windows and ESXi Attacks … related

19 MITREs 1 Malware 3 Observables 1 APT
Highly destructive Lotus Wiper used in a targeted … related

19 MITREs 1 Malware
The Gentlemen & SystemBC: A Sneak Peek Behind … related

46 MITREs 6 Malwares 27 Observables 1 APT
CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran related

AlienVault Confidence 100 19 MITREs 1 Malware 7 IOCs 7 Observables 1 APT

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (66)

CVE-2025-61955 targets

8.5 High

A vulnerability exists in F5OS-A and F5OS-C systems that may allow an authenticated attacker with local access to escalate their privileges. A …

Attack vector: LOCAL
Published: 15/10/2025
Modified: 21/12/2025

Received

CVE-2025-66478 targets

Rejected reason: This CVE is a duplicate of CVE-2025-55182.

Published: 20/12/2025
Modified: 21/12/2025

Rejected

CVE-2023-52271 targets

6.5 Medium

The wsftprm.sys kernel driver 2.0.0.0 in Topaz Antifraud allows low-privileged attackers to kill any (Protected Process Light) process via an IOCTL (which …

Attack vector: LOCAL
Published: 08/01/2024
Modified: 16/06/2026

CVE-2021-40449 KEV targets

Unspecified vulnerability allows for an authenticated user to escalate privileges.

Published: 17/11/2021
Modified: 21/12/2025

CVE-2019-0797 KEV targets

Microsoft Win32k contains a privilege escalation vulnerability when the Win32k component fails to properly handle objects in memory. Successful exploitation allows an …

Published: 03/11/2021
Modified: 29/05/2026

CVE-2025-52906 targets

9.3 Critical

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection.This issue …

Published: 24/09/2025
Modified: 24/09/2025

Received

CVE-2025-31324 KEV targets

10.0 Critical

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …

Attack vector: Network
Published: 29/04/2025
Modified: 21/12/2025

Received

CVE-2021-34473 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution.

Published: 03/11/2021
Modified: 29/05/2026

CVE-2023-48022 targets

9.8 Critical

Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position …

Attack vector: NETWORK
Published: 28/11/2023
Modified: 21/12/2025

CVE-2026-1340 KEV targets

9.8 Critical

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.

Attack vector: NETWORK
Complexity: LOW
Published: 29/01/2026
Modified: 10/04/2026

CWE-94 Received

CVE-2025-0282 KEV targets

9.0 Critical

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA …

Attack vector: Network
Published: 08/01/2025
Modified: 21/12/2025

Analyzed

CVE-2026-1281 KEV targets

9.8 Critical

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.

Attack vector: NETWORK
Published: 29/01/2026
Modified: 27/03/2026

Analyzed

← Previous

Page / 6

13–24 of 66

T1569 subtechnique-of

System Services MITRE

Campaign (2)

SharePoint ToolShell Exploitation uses
APT41 DUST uses

Tool (3)

PsExec uses

The MITRE Corporation Confidence 100

[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS…
xCmd uses

The MITRE Corporation Confidence 100

[xCmd](https://attack.mitre.org/software/S0123) is an open source tool that is similar to [PsExec](https://attack.mitre.org/software/S0029) and allows the user to execute applications on remote systems. (Citation: xCmd)
PoshC2 uses

The MITRE Corporation Confidence 100

[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while…

Course Of Action (1)

Privileged Account Management mitigates

Contact About Legal notice Privacy policy Terms of use