S0166: RemoteCMD
Analyst context for executives and security teams
RemoteCMD matters because it represents remote command execution on Windows in a PsExec-like pattern, tied in ATT&CK to scheduled tasks, service execution, and tool transfer. For leaders, the practical issue is whether the organization can distinguish approved remote administration from unauthorized command execution before it becomes widespread operational disruption or an incident-response blind spot.
Executive priority
Prioritize validation of Windows remote administration controls and evidence. This behavior can affect business continuity because service execution and scheduled tasks are common mechanisms for running code across systems, including in legitimate IT operations. Executives should ask whether privileged access, remote service creation, scheduled task activity, and transferred tools are logged well enough to support rapid containment, audit evidence, and incident scoping.
Technical view
RemoteCMD is a Windows malware/tool entry described by MITRE as a custom APT3 tool for executing commands on a remote system similar to Sysinternals PsExec functionality. ATT&CK relationships link it to Scheduled Task (T1053.005), Ingress Tool Transfer (T1105), and Service Execution (T1569.002). SOC and IR teams should validate coverage for remote process execution patterns, Windows service creation or manipulation, scheduled task creation or execution, and file/tool transfer into or within the environment. Because no official ATT&CK detection text is provided, detections should be built around the related behaviors rather than the malware name alone.
Likely telemetry
- Windows security and system event logs showing service creation, service start, and service configuration changes
- Task Scheduler operational logs and events for task creation, modification, and execution
- Endpoint process creation telemetry with command-line arguments and parent-child process context
- EDR or host file telemetry for newly written administrative tools or suspicious binaries
- Network telemetry for inbound or lateral connections associated with remote administration or file transfer
Detection direction
- Baseline legitimate remote administration, service management, and scheduled task activity so detections can focus on unusual source hosts, accounts, timing, destinations, or command content.
- Correlate service execution and scheduled task events with recent file transfer or new binary creation, since the relationship context includes ingress tool transfer.
- Tune for privileged account misuse: remote command execution is most meaningful when paired with unexpected administrative credentials, lateral movement paths, or execution on sensitive servers.
- Avoid relying on malware signatures or the RemoteCMD name alone; ATT&CK provides no official detection guidance and describes custom tooling with PsExec-like functionality.
- Expect false positives from IT operations, software deployment, endpoint management, and incident-response tooling; require allowlists and change-window context rather than broad suppression.
Mitigation priorities
- Enforce least privilege for administrative accounts and reduce standing local administrator access on Windows systems.
- Restrict who can create or modify Windows services and scheduled tasks, especially remotely and on critical servers.
- Maintain strong logging for service control, scheduled task activity, process creation, authentication, and file writes before an incident occurs.
- Use network segmentation and administrative access boundaries to limit where remote command execution can occur.
- Apply application control or approved-tool governance where feasible to reduce execution of unapproved administrative utilities or custom binaries.
Analyst notes and limits
The strongest decision value is not the malware family name but the operational pattern: remote command execution through Windows administration-like mechanisms. The supplied relationship context points defenders toward Scheduled Task, Service Execution, and Ingress Tool Transfer behaviors. This is especially relevant for managed detection, IR readiness, IAM governance, and compliance evidence because these activities often involve privileged accounts and legitimate administrative pathways.
The ATT&CK object has no official detection text, no aliases, no labels, and no object-level tactics listed. The description is brief and names APT3 only as the reported user of the custom tool. Local telemetry, approved administration practices, and environment-specific baselines are required to determine exposure or detection coverage.
RemoteCMD
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1569.002 | Service Execution Sub-technique | RemoteCMD can execute commands remotely by creating a new service on the remote system.CitationSymantec Buckeye |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | RemoteCMD can execute commands remotely by creating a new schedule task on the remote systemCitationSymantec Buckeye |
| Enterprise | T1105 | Ingress Tool Transfer | RemoteCMD copies a file over to the remote system before execution.CitationSymantec Buckeye |
Groups, software, and campaigns
G0022: APT3
APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security.[1][2] This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.[1][3] As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.[4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | eafee53af944… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec Buckeye
Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
Open source URL -
[2]
mitre-attack S0166Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.