T1569.002 — Service Execution

Technique

T1569.002

Tactics

Execution

MISP citations

0

KEV CVEs mapped

1

Community rules

43

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1569/002

MITRE description

Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039). [PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as [PsExec](https://attack.mitre.org/software/S0029) and <code>sc.exe</code> can accept remote servers as arguments and may be used to conduct remote execution. Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2021-35394

Detection coverage

SigmaHQ community rules

• CosmicDuke Service Installation (emerging-threats)
• DNS RCE CVE-2020-1350 (emerging-threats)
• Potential CVE-2022-26809 Exploitation Attempt (emerging-threats)
• PsExec Default Named Pipe (threat-hunting)
• Remote Server Service Abuse for Lateral Movement (core)
• MITRE BZAR Indicators for Execution (core)
• DNS Events Related To Mining Pools (core)
• CobaltStrike Service Installations - Security (core)
• Credential Dumping Tools Service Execution - Security (core)
• Metasploit Or Impacket Service Installation Via SMB PsExec (core)
• PowerShell Scripts Installed as Services - Security (core)
• Remote Access Tool Services Have Been Installed - Security (core)
• CobaltStrike Service Installations - System (core)
• smbexec.py Service Installation (core)
• Credential Dumping Tools Service Execution - System (core)
• PowerShell Scripts Installed as Services (core)
• CSExec Service Installation (core)
• HackTool Service Registration or Execution (core)
• PAExec Service Installation (core)
• ProcessHacker Privilege Elevation (core)
• RemCom Service Installation (core)
• Remote Access Tool Services Have Been Installed - System (core)
• Sliver C2 Default Service Installation (core)
• PsExec Service Installation (core)
• PSExec and WMI Process Creations Block (core)

Showing 25 of 43 community rules — the full set is tagged attack.t1569.002 in SigmaHQ.

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.