S0191: Winexe
Analyst context for executives and security teams
Winexe matters because it is a legitimate remote administration tool that can execute commands on remote servers from a GNU/Linux client. For leaders, the risk is not the tool by itself, but whether remote service-based administration can be distinguished from unauthorized command execution across critical Windows servers.
Executive priority
Prioritize this as a control-validation issue for privileged administration and server resilience. Ask whether the organization has an approved remote administration model, known admin source systems, accountable privileged identities, and evidence showing who can create or start services on important servers. The ATT&CK relationships to APT28, Silence, and DarkVishnya show that this tool has been observed in threat reporting, including financially motivated contexts, but local exposure depends on your environment and controls.
Technical view
ATT&CK lists no platform or tactic directly on the Winexe tool object, and provides no official detection text. However, the supplied relationship maps Winexe to T1569.002 Service Execution, an Execution technique on Windows involving abuse of the Windows service control manager. SOC and IR teams should validate visibility into remote service creation, service start activity, processes launched by services.exe, privileged authentication to servers, and command execution patterns that originate from Linux or other non-standard administration hosts where relevant.
Likely telemetry
- Windows service creation, modification, and start/stop records on servers
- Endpoint process telemetry showing services.exe spawning command interpreters or administrative payloads
- Privileged authentication and remote logon records for server access
- Network connection metadata between administrative clients and Windows servers
- Inventory or allowlist records for approved remote administration tools and source hosts
Detection direction
- Baseline approved remote administration paths, including expected admin hosts, accounts, and maintenance windows, then alert on deviations involving service execution.
- Correlate service creation/start events with privileged logons and the originating host; pay particular attention to GNU/Linux-based administration sources if they are uncommon in the environment.
- Tune detections to reduce false positives from legitimate systems administration, software deployment, and break-glass operations by requiring context such as unapproved source host, unusual account, unusual service name, or unexpected command line.
- Use the relationship to T1569.002 to focus detection engineering on Windows service control manager abuse rather than on the Winexe binary name alone.
- Because ATT&CK provides no official detection for this object, validate detections with local telemetry and known-good administrative workflows before treating matches as malicious.
Mitigation priorities
- Define and document approved remote command execution tools, administrative source systems, and authorized operators.
- Limit who can create, modify, or start services on servers through least-privilege administrative roles.
- Restrict remote administration paths to managed hosts and monitored network segments where feasible.
- Ensure privileged account use is logged, reviewed, and tied to change-management or incident records.
- Maintain endpoint and service-control logging on critical Windows servers so incident responders can reconstruct remote execution activity.
Analyst notes and limits
Winexe is described by ATT&CK as a lightweight open source tool similar to PsExec for executing commands on remote servers, with the notable characteristic that it is a GNU/Linux-based client. The strongest defensive context supplied is its relationship to Service Execution and its observed use by listed groups. This supports detection and control validation around service-based remote execution, not claims about current activity in any specific environment.
The supplied ATT&CK object has no official detection guidance, no direct platform list, no direct tactics, and limited tool detail. Conclusions about exposure, maliciousness, or detection coverage require local evidence such as admin tool inventory, privileged account logs, endpoint telemetry, and server service-control records.
Winexe
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1569.002 | Service Execution Sub-technique | Winexe installs a service on the remote system, executes the command, then uninstalls the service.CitationSecpod Winexe June 2017 |
Groups, software, and campaigns
G0105: DarkVishnya
DarkVishnya is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.[1]
G0091: Silence
Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing.[1][2]
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 397af65517b9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Winexe Github Sept 2013
Skalkotos, N. (2013, September 20). WinExe. Retrieved January 22, 2018.
Open source URL -
[2]
Überwachung APT28 Forfiles June 2015
Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018.
Open source URL -
[3]
mitre-attack S0191Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.