Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1185: Analytic 1185

Detection focuses on abnormal service executions initiated via service control manager APIs, sc.exe, net.exe, or PsExec creating temporary services. Defenders observe process creation of services.exe spawning non-standard binaries, registry changes in service keys followed by rapid execution, and network connections originating from processes tied to transient services. Correlation across process lineage, registry activity, and service logs provides strong signals of malicious service execution.

EnterpriseAN1185AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because abnormal Windows service execution is a high-value signal for hands-on-keyboard activity and remote administrative abuse. For leaders, the decision point is whether the organization can reliably reconstruct who or what created a service, what binary ran, how quickly it executed, and whether it made network connections. Without that visibility, incident responders may struggle to distinguish legitimate administration from suspicious transient service activity.

Executive priority

Prioritize this as a Windows endpoint and SOC visibility validation item. It supports business resilience by improving the ability to investigate suspicious service creation and execution paths before they become broader operational incidents. Executives should ask whether process, registry, service, and network telemetry are retained and correlated well enough to support incident decisions and audit evidence for endpoint monitoring controls.

Technical view

For Windows environments, validate correlation across process lineage, registry service-key changes, service log activity, and outbound network connections. The supplied analytic focuses on services.exe spawning non-standard binaries, service creation through service control manager APIs or common administrative tools such as sc.exe, net.exe, and PsExec, and temporary services that execute rapidly after registry changes. SOC teams should tune for unusual parent-child relationships, non-standard service binaries, short-lived service creation-to-execution patterns, and network activity from processes associated with transient services.

Likely telemetry

  • Windows process creation events, including parent-child lineage for services.exe and service-related tools
  • Windows registry activity for service keys
  • Windows service control or service installation/execution logs
  • Endpoint network connection telemetry tied to process identity
  • Command-line telemetry for sc.exe, net.exe, PsExec, and service-related execution where available

Detection direction

  • Validate that service creation, registry modification, process execution, and network connection events can be joined by host, process, user, and time window.
  • Tune for rapid registry service-key changes followed by service execution, especially when the service binary path is unusual for the environment.
  • Baseline legitimate administrative and software deployment activity to reduce false positives from approved service management tools.
  • Review visibility for temporary or short-lived services, as these may be missed if collection intervals or retention are weak.
  • Because no ATT&CK tactic or relationship context was supplied, avoid over-scoping this analytic to a single campaign or objective without local evidence.

Mitigation priorities

  • First ensure Windows endpoint logging captures process creation, service activity, registry service-key changes, and process-linked network connections.
  • Standardize and document legitimate service management workflows so SOC teams can distinguish expected administration from abnormal execution.
  • Restrict and monitor administrative tooling capable of creating or starting services according to least-privilege principles.
  • Retain correlated telemetry long enough to support incident response timelines and compliance evidence.
  • Test detection logic against benign administrative activity to identify false positives before operational deployment.
Analyst notes and limits

This take is based on the supplied ATT&CK detection analytic AN1185 only. The strongest defensive value is correlation: a single service creation event may be benign, but service-key changes, services.exe process lineage, non-standard binaries, and process-linked network connections together provide stronger investigative context.

The object provides a description but no separate official detection field, no tactics, no relationships, and only the Windows platform. Claims about adversary use, active exploitation, impact, or coverage require local telemetry and additional intelligence not supplied here.

Official MITRE ATT&CK definition

Analytic 1185

Detection focuses on abnormal service executions initiated via service control manager APIs, sc.exe, net.exe, or PsExec creating temporary services. Defenders observe process creation of services.exe spawning non-standard binaries, registry changes in service keys followed by rapid execution, and network connections originating from processes tied to transient services. Correlation across process lineage, registry activity, and service logs provides strong signals of malicious service execution.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
3fb80492fa54aecf...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 3fb80492fa54…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1185
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use