S0123: xCmd
Analyst context for executives and security teams
xCmd matters because it represents a legitimate-style remote execution capability: an open source tool similar to PsExec that can run applications on remote systems. For leaders, the risk is not the tool name alone but whether the organization can distinguish approved remote administration from unauthorized remote service-based execution, especially when responders need to prove how a host-to-host action occurred.
Executive priority
Prioritize validation of controls and evidence around remote execution through Windows services, because the ATT&CK relationship maps xCmd to Service Execution (T1569.002). Security leaders should ask whether SOC and IR teams can identify who initiated remote execution, which systems were targeted, what service or process ran, and whether the activity was authorized. This is relevant to incident scoping, privileged access governance, audit evidence, and business continuity during containment decisions.
Technical view
ATT&CK provides no dedicated detection text and no platform list for xCmd itself. The strongest supplied technical context is that xCmd allows remote application execution and is associated with Service Execution on Windows. Detection engineering should therefore validate coverage for Windows service control manager activity, service creation or modification, service start events, and process execution spawned from service context on target systems. IR playbooks should correlate remote execution evidence with authentication records and administrative activity to separate expected operations from suspicious lateral execution.
Likely telemetry
- Windows service creation, modification, start, and stop events on target systems
- Process creation telemetry showing applications launched through service context
- Authentication and logon records for accounts initiating remote administration
- Endpoint telemetry from both initiating and target hosts
- Host-to-host network connection metadata associated with remote administration activity
Detection direction
- Because ATT&CK does not provide official xCmd detection guidance, build detection around the related behavior: remote execution through Windows service control manager activity.
- Baseline legitimate remote administration patterns so alerts do not become noisy whenever administrators use approved service-management tools.
- Correlate service events with process execution, account logon, source host, target host, and change records; single-event service alerts may lack enough context.
- Watch for blind spots where service events are collected but process command line, initiating user, or source host context is missing.
- Use the APT1 relationship as threat-intelligence context only; do not treat the presence of xCmd-like behavior as attribution.
Mitigation priorities
- Restrict who can remotely manage services and execute applications on remote systems.
- Review privileged account usage and ensure administrative remote execution is tied to approved operational processes.
- Harden and monitor Windows service management paths associated with Service Execution.
- Ensure endpoint and Windows event logging are retained long enough to support incident scoping.
- Document approved remote administration tools and expected behavior so SOC teams can identify deviations.
Analyst notes and limits
The supplied ATT&CK object identifies xCmd as an open source PsExec-like tool for remote application execution and links it to Service Execution (T1569.002). APT1 is listed as a group that uses this object, but that relationship should be used as historical/contextual intelligence, not as evidence of attribution in any local incident.
The object has no official detection text, no explicit xCmd platform field, no aliases, and limited technical detail. Local validation is required to determine whether xCmd, xCmd-like tools, or approved remote administration utilities are present and whether telemetry captures enough context for reliable detection and response.
xCmd
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1569.002 | Service Execution Sub-technique | xCmd can be used to execute binaries on remote systems by creating and starting a service.CitationxCmd |
Groups, software, and campaigns
G0006: APT1
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 21e433a06453… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
xCmd
Rayaprolu, A.. (2011, April 12). xCmd an Alternative to PsExec. Retrieved August 10, 2016.
Open source URL -
[2]
mitre-attack S0123Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.