S1064: SVCReady
Analyst context for executives and security teams
SVCReady matters because it is a Windows loader associated in ATT&CK with malicious spam delivery and a broad set of follow-on behaviors: phishing attachment execution, discovery, persistence, stealth, command-and-control, tool transfer, collection, and exfiltration over C2. For leaders, the decision value is not simply “do we block this malware name,” but whether email, endpoint, identity, and SOC processes can catch a user-driven loader before it establishes persistence, profiles the host, pulls additional tooling, or moves data through normal-looking web traffic.
Executive priority
Prioritize SVCReady as a readiness test for phishing-led intrusion response on Windows endpoints. It connects business risk to several control areas executives can validate: attachment handling and user execution controls, endpoint visibility for scheduled tasks, WMI, rundll32, registry and COM activity, and network visibility for web-based C2 and exfiltration. Because ATT&CK provides no official detection text for this software, leadership should ask for evidence of coverage against the mapped behaviors rather than relying on signature coverage for the SVCReady name alone. The official description notes overlaps with TA551 activity in distribution artifacts, but this should be treated as contextual threat intelligence, not attribution.
Technical view
SOC and detection teams should validate behavior-based coverage across the Windows attack chain reflected in the relationships: spearphishing attachment and malicious file execution; Visual Basic, WMI, Native API, and rundll32 execution; registry queries and COM hijacking; scheduled task persistence; system, user, process, software, peripheral, and time discovery; anti-analysis checks; ingress tool transfer; web-protocol C2; local data collection, screen capture, and exfiltration over the C2 channel. Since ATT&CK lists no dedicated detection guidance for SVCReady, detections should be built and tested around these related techniques, correlated by sequence and endpoint context rather than single events.
Likely telemetry
- Email security telemetry for attachments, sender metadata, lure delivery, and user interaction with malicious files
- Endpoint process creation telemetry, including parent-child relationships for Office or attachment handlers, script interpreters, rundll32.exe, WMI, and scheduled task utilities
- Windows Registry and COM-related telemetry for discovery, modification, or hijacking indicators
- Scheduled task creation, modification, and execution logs
- WMI activity logs and remote or local management execution evidence
Detection direction
- Validate behavior chains rather than only malware signatures: phishing attachment execution followed by script or rundll32 execution, discovery, persistence, and outbound web traffic is higher-value than any single event.
- Tune for suspicious scheduled task and service naming, especially where names appear designed to masquerade as legitimate tasks or services.
- Correlate WMI, Visual Basic, Native API, and rundll32 activity with unusual parents, recently written files, user-opened attachments, or uncommon command-line patterns.
- Monitor registry and COM activity for both discovery and persistence context; separate common administrative inventory activity from changes that introduce suspicious execution paths.
- Review outbound web-protocol traffic from newly spawned or unusual processes, especially when paired with tool transfer, local data access, or screen capture behaviors.
Mitigation priorities
- Strengthen email attachment controls and user-execution safeguards for malicious spam scenarios, including attachment detonation, file-type handling, and user reporting workflows.
- Reduce script, WMI, rundll32, and scheduled task abuse opportunities through least privilege, application control, and administrative tool governance appropriate to Windows endpoints.
- Harden persistence surfaces by monitoring and controlling scheduled tasks, services, registry autoruns, and COM object references.
- Ensure endpoint detection and response coverage captures process, registry, task, WMI, file, and network events needed to reconstruct the chain.
- Restrict and inspect outbound web traffic where feasible so C2, tool transfer, and exfiltration over common protocols are not invisible by default.
Analyst notes and limits
ATT&CK identifies SVCReady as a Windows loader used since at least April 2022 in malicious spam campaigns. The relationship set is rich and gives defenders practical coverage targets across initial access, execution, discovery, persistence, stealth, command-and-control, collection, and exfiltration behaviors. The strongest defensive use is to map existing telemetry and detections to those behaviors and validate whether the SOC can connect them into an incident narrative quickly.
The official ATT&CK object provides no dedicated detection text, no explicit tactics on the malware object itself, and no aliases or labels. Relationship descriptions include techniques with platforms beyond Windows, but the SVCReady object platform is Windows; platform claims should therefore remain Windows-focused. Local telemetry, control configuration, and observed samples are required to determine actual exposure or detection coverage.
SVCReady
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1012 | Query Registry | SVCReady can search for the `HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System` Registry key to gather system information.CitationHP SVCReady Jun 2022 |
| Enterprise | T1027 | Obfuscated Files or Information | SVCReady can encrypt victim data with an RC4 cipher.CitationHP SVCReady Jun 2022 |
| Enterprise | T1204.002 | Malicious File Sub-technique | SVCReady has relied on users clicking a malicious attachment delivered through spearphishing.CitationHP SVCReady Jun 2022 |
| Enterprise | T1005 | Data from Local System | SVCReady can collect data from an infected host.CitationHP SVCReady Jun 2022 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | SVCReady has been distributed via spearphishing campaigns containing malicious Mircrosoft Word documents.CitationHP SVCReady Jun 2022 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | SVCReady has named a task `RecoveryExTask` as part of its persistence activity.CitationHP SVCReady Jun 2022 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | SVCReady has used VBA macros to execute shellcode.CitationHP SVCReady Jun 2022 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | SVCReady has used `rundll32.exe` for execution.CitationHP SVCReady Jun 2022 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | SVCReady can create a scheduled task named `RecoveryExTask` to gain persistence.CitationHP SVCReady Jun 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | SVCReady has the ability to download additional tools such as the RedLine Stealer to an infected host.CitationHP SVCReady Jun 2022 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | SVCReady can send collected data in JSON format to its C2 server.CitationHP SVCReady Jun 2022 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | SVCReady can communicate with its C2 servers via HTTP.CitationHP SVCReady Jun 2022 |
| Enterprise | T1120 | Peripheral Device Discovery | SVCReady can check for the number of devices plugged into an infected host.CitationHP SVCReady Jun 2022 |
| Enterprise | T1033 | System Owner/User Discovery | SVCReady can collect the username from an infected host.CitationHP SVCReady Jun 2022 |
| Enterprise | T1546.015 | Component Object Model Hijacking Sub-technique | SVCReady has created the `HKEY_CURRENT_USER\Software\Classes\CLSID\{E6D34FFC-AD32-4d6a-934C-D387FA873A19}` Registry key for persistence.CitationHP SVCReady Jun 2022 |
| Enterprise | T1113 | Screen Capture | SVCReady can take a screenshot from an infected host.CitationHP SVCReady Jun 2022 |
| Enterprise | T1124 | System Time Discovery | SVCReady can collect time zone information.CitationHP SVCReady Jun 2022 |
| Enterprise | T1106 | Native API | SVCReady can use Windows API calls to gather information from an infected host.CitationHP SVCReady Jun 2022 |
| Enterprise | T1047 | Windows Management Instrumentation | SVCReady can use `WMI` queries to detect the presence of a virtual machine environment.CitationHP SVCReady Jun 2022 |
| Enterprise | T1082 | System Information Discovery | SVCReady has the ability to collect information such as computer name, computer manufacturer, BIOS, operating system, and firmware, including through the use of `systeminfo.exe`.CitationHP SVCReady Jun 2022 |
| Enterprise | T1497.001 | System Checks Sub-technique | SVCReady has the ability to determine if its runtime environment is virtualized.CitationHP SVCReady Jun 2022 |
| Enterprise | T1057 | Process Discovery | SVCReady can collect a list of running processes from an infected host.CitationHP SVCReady Jun 2022 |
| Enterprise | T1518 | Software Discovery | SVCReady can collect a list of installed software from an infected host.CitationHP SVCReady Jun 2022 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | SVCReady can enter a sleep stage for 30 minutes to evade detection.CitationHP SVCReady Jun 2022 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 632a8a81b703… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
HP SVCReady Jun 2022
Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.
Open source URL -
[2]
mitre-attack S1064Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.