T1569

System Services

This detection identifies adversaries abusing Windows services, Linux systemd units, and macOS launchd daemons to execute malicious code. Attackers commonly leverage sc.exe, net start, PsExec, systemctl, and launchctl to create or start services that run attacker-controlled binaries. Indicators include services with suspicious binary paths (temp directories, user profile paths, UNC paths), service names mimicking legitimate system services, new service installations from unusual parent processes (cmd.exe, powershell.exe, wscript.exe), and service creations from non-standard accounts. This technique is frequently chained with lateral movement and persistence techniques to achieve remote code execution or maintain footholds across reboots.

Microsoft Sentinel / Defender

kusto

let SuspiciousPaths = dynamic(["\\Temp\\", "\\Users\\", "\\AppData\\", "\\ProgramData\\", "\\Downloads\\", "\\Public\\", "%TEMP%", "%APPDATA%"]);
let SuspiciousParents = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "msiexec.exe"]);
let LolBins = dynamic(["certutil.exe", "bitsadmin.exe", "wmic.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe"]);
union
(
    // New service installations via Security event log
    SecurityEvent
    | where EventID == 7045
    | extend ServiceName = tostring(EventData.ServiceName),
             ServiceFileName = tostring(EventData.ImagePath),
             ServiceType = tostring(EventData.ServiceType),
             ServiceAccount = tostring(EventData.ServiceAccount)
    | where ServiceFileName has_any (SuspiciousPaths)
          or ServiceFileName matches regex @"\\\\[0-9]{1,3}\.[0-9]{1,3}\."  // UNC path
          or ServiceFileName has_any (LolBins)
          or ServiceAccount == "LocalSystem" and ServiceFileName has_any (SuspiciousPaths)
    | project TimeGenerated, Computer, EventID, ServiceName, ServiceFileName, ServiceType, ServiceAccount,
              SourceType = "SecurityEvent-7045"
),
(
    // sc.exe and net.exe service manipulation
    DeviceProcessEvents
    | where FileName in~ ("sc.exe", "net.exe", "net1.exe")
      and ProcessCommandLine has_any ("create", "start", "config", "binpath")
    | where InitiatingProcessFileName has_any (SuspiciousParents)
          or ProcessCommandLine matches regex @"binpath\s*=\s*[^\"]*\\(Temp|AppData|Downloads|Public|Users)\\"
          or ProcessCommandLine has "cmd.exe /c"
          or ProcessCommandLine has "powershell"
    | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine,
              InitiatingProcessFileName, InitiatingProcessCommandLine,
              InitiatingProcessParentFileName, SourceType = "DeviceProcessEvents-sc"
),
(
    // PsExec-style remote service creation indicators
    DeviceProcessEvents
    | where FileName =~ "services.exe"
    | where InitiatingProcessFileName has_any ("psexec.exe", "psexec64.exe", "paexec.exe", "remcom.exe", "csexec.exe")
    | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine,
              InitiatingProcessFileName, InitiatingProcessCommandLine, SourceType = "DeviceProcessEvents-psexec"
),
(
    // Suspicious service binaries created in temp paths
    DeviceFileEvents
    | where ActionType == "FileCreated"
    | where FolderPath has_any (SuspiciousPaths)
    | where FileName endswith ".exe" or FileName endswith ".dll"
    | join kind=inner (
        SecurityEvent
        | where EventID == 7045
        | extend ServiceFileName = tostring(EventData.ImagePath)
        | project ServiceFileName, ServiceName = tostring(EventData.ServiceName), ServiceInstallTime = TimeGenerated
    ) on $left.FolderPath == $right.ServiceFileName
    | project TimeGenerated, DeviceName, FileName, FolderPath, ServiceName, ServiceInstallTime, SourceType = "FileCreated-ServiceBinary"
)
| order by TimeGenerated desc

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel Windows Security Events

Required Tables

SecurityEvent DeviceProcessEvents DeviceFileEvents

False Positives

IT automation tools (SCCM, Ansible, Chef) creating services during software deployment
Legitimate software installers that write binaries to AppData before creating services
Vulnerability scanners and EDR agents that enumerate or interact with the service control manager
Help desk remote management tools (TeamViewer, ConnectWise) that install services temporarily
Developer workstations running test services from non-standard paths during development

Splunk

spl

(
  index=* (sourcetype="WinEventLog:System" EventCode=7045)
  OR (sourcetype="WinEventLog:Security" EventCode=4697)
)
| eval ServiceName=coalesce(ServiceName, service_name),
       ImagePath=coalesce(ImagePath, image_path, param1),
       ServiceAccount=coalesce(ServiceAccount, service_account)
| eval suspicious_path=if(
    match(ImagePath, "(?i)(\\\\temp\\\\|\\\\users\\\\|\\\\appdata\\\\|\\\\downloads\\\\|\\\\public\\\\|%temp%|%appdata%)"),
    1, 0)
| eval unc_path=if(match(ImagePath, "^\\\\\\\\[0-9]{1,3}\\."), 1, 0)
| eval lolbin_service=if(
    match(ImagePath, "(?i)(certutil|bitsadmin|mshta|regsvr32|rundll32|wmic)"),
    1, 0)
| eval risk_score=suspicious_path*40 + unc_path*50 + lolbin_service*60
| where risk_score > 0
| table _time, host, EventCode, ServiceName, ImagePath, ServiceAccount, risk_score, suspicious_path, unc_path, lolbin_service
| sort - risk_score, -_time

| append
    [search index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\sc.exe" OR Image="*\\net.exe" OR Image="*\\net1.exe")
    (CommandLine="*create*" OR CommandLine="*start*" OR CommandLine="*binpath*" OR CommandLine="*config*")
    | eval suspicious_parent=if(
        match(ParentImage, "(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msiexec\.exe)"),
        1, 0)
    | eval suspicious_cmdline=if(
        match(CommandLine, "(?i)(binpath\s*=\s*[^\"]*\\\\(temp|appdata|downloads|public|users)\\\\|cmd\.exe /c|powershell)"),
        1, 0)
    | where suspicious_parent=1 OR suspicious_cmdline=1
    | eval risk_score=(suspicious_parent*30)+(suspicious_cmdline*40)
    | table _time, host, Image, CommandLine, ParentImage, ParentCommandLine, User, risk_score]

| append
    [search index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\psexec.exe" OR Image="*\\psexec64.exe" OR Image="*\\paexec.exe" OR Image="*\\remcom.exe")
    | eval risk_score=80
    | table _time, host, Image, CommandLine, ParentImage, User, risk_score]

high severity medium confidence

Data Sources

Sysmon Windows Event Logs

Required Sourcetypes

WinEventLog:System WinEventLog:Security XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Software deployment tools (SCCM, PDQ Deploy) creating services as part of managed software installations
Backup agents (Veeam, Commvault) that install temporary service components during backup jobs
IT operations scripts run by administrators that use sc.exe or net.exe for legitimate service management
Antivirus and EDR products that create services during installation or updates
Windows Subsystem for Linux or virtualization software that registers kernel services

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
[
  any where event.category == "process" and
  process.name in~ ("sc.exe", "net.exe", "net1.exe") and
  (
    process.args : ("create", "start", "config", "binpath") and
    (
      process.parent.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "msiexec.exe") or
      process.command_line : ("*binpath*\\Temp\\*", "*binpath*\\AppData\\*", "*binpath*\\Downloads\\*", "*binpath*\\Public\\*", "*binpath*\\Users\\*", "*cmd.exe /c*", "*powershell*")
    )
  )
] by process.pid

OR

sequence by host.name with maxspan=2m
[
  any where event.category == "process" and
  process.name in~ ("psexec.exe", "psexec64.exe", "paexec.exe", "remcom.exe", "csexec.exe")
] by process.pid
[
  any where event.category == "process" and
  process.name == "services.exe"
] by process.parent.pid

OR

any where event.category == "file" and event.action == "creation" and
(
  file.path : ("*\\Temp\\*.exe", "*\\Temp\\*.dll", "*\\Users\\*\\AppData\\*.exe", "*\\Downloads\\*.exe", "*\\Public\\*.exe")
) and
process.name in~ ("services.exe", "sc.exe", "svchost.exe")

high severity high confidence

Data Sources

Windows Process Events Windows File Events Sysmon (ECS-normalized)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* logs-system.security* winlogbeat-*

False Positives

Legitimate software installers that use sc.exe from cmd.exe or PowerShell during installation pipelines (e.g., NSIS, Inno Setup, WiX toolchain installers).
IT automation tools such as Ansible, Chef, or Puppet that invoke sc.exe or net.exe via cmd.exe wrappers to manage services during provisioning.
Remote management agents (e.g., ConnectWise, Kaseya, Datto RMM) that create or modify services from AppData or ProgramData paths as part of their normal update mechanisms.
Security software (EDR, AV) that installs kernel drivers or service components into non-standard paths during updates.
PsExec used legitimately by sysadmins for remote task execution in environments where it is an approved tool.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  QIDNAME(qid) AS event_name,
  "username" AS account_name,
  "sourceip" AS source_ip,
  "hostname" AS host_name,
  CATEGORYNAME(category) AS event_category,
  "ServiceName" AS service_name,
  "ImagePath" AS image_path,
  "ServiceAccount" AS service_account,
  CASE
    WHEN LOWER("ImagePath") MATCHES '.*\\\\(temp|users|appdata|downloads|public|programdata)\\\\.*' THEN 40
    ELSE 0
  END +
  CASE
    WHEN "ImagePath" MATCHES '^\\\\\\\\[0-9]{1,3}\\.' THEN 50
    ELSE 0
  END +
  CASE
    WHEN LOWER("ImagePath") MATCHES '.*(certutil|bitsadmin|mshta|regsvr32|rundll32|wmic).*' THEN 60
    ELSE 0
  END AS risk_score
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 14, 15)  -- Windows Security/System event logs
  AND (
    (qid = 5000700  -- Service Control Manager 7045 new service installed
     OR qid = 5000100  -- Security event 4697 service installed
    ) AND (
      LOWER("ImagePath") MATCHES '.*\\\\(temp|users|appdata|downloads|public|programdata)\\\\.*'
      OR "ImagePath" MATCHES '^\\\\\\\\[0-9]'
      OR LOWER("ImagePath") MATCHES '.*(certutil|bitsadmin|mshta|regsvr32|rundll32|wmic).*'
    )
  )
  OR (
    LOWER("CommandLine") MATCHES '.*(sc\.exe|net\.exe|net1\.exe).*(create|start|config|binpath).*'
    AND (
      LOWER("ParentProcessPath") MATCHES '.*(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msiexec\.exe).*'
      OR LOWER("CommandLine") MATCHES '.*binpath.*(temp|appdata|downloads|public|users).*'
    )
  )
  OR (
    LOWER("ProcessPath") MATCHES '.*(psexec\.exe|psexec64\.exe|paexec\.exe|remcom\.exe|csexec\.exe).*'
  )
ORDER BY risk_score DESC, starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Windows Security Event Log Windows System Event Log Sysmon Process Create Events

Required Tables

events

False Positives

Legitimate enterprise software deployments that install services with binaries staged in user or temp directories before moving them to program directories.
Vulnerability scanning tools or patch management systems that enumerate or restart services using sc.exe from automated scripting contexts.
Software development workflows on developer workstations where test services are registered pointing to build output directories under user profiles.
Remote administration via PSExec in environments where it is explicitly sanctioned and documented as an approved remote management method.

Sumo Logic CSE

sql

// Detection 1: New service installations with suspicious paths (Windows Event 7045/4697)
(_sourceCategory="windows/system" OR _sourceCategory="windows/security")
| where EventCode in ("7045", "4697")
| parse "ServiceName=*" as service_name nodrop
| parse "ImagePath=*" as image_path nodrop
| parse "ServiceAccount=*" as service_account nodrop
| eval suspicious_path = if(matches(image_path, "(?i).*\\\\(Temp|Users|AppData|Downloads|Public|ProgramData)\\\\.*"), 1, 0)
| eval unc_path = if(matches(image_path, "^\\\\\\\\[0-9]{1,3}\\."), 1, 0)
| eval lolbin_svc = if(matches(image_path, "(?i).*(certutil|bitsadmin|mshta|regsvr32|rundll32|wmic).*"), 1, 0)
| eval risk_score = (suspicious_path * 40) + (unc_path * 50) + (lolbin_svc * 60)
| where risk_score > 0
| fields _messagetime, _sourceHost, EventCode, service_name, image_path, service_account, risk_score, suspicious_path, unc_path, lolbin_svc
| sort by risk_score desc, _messagetime desc

// Detection 2: sc.exe/net.exe service manipulation from suspicious parents (Sysmon Event 1)
// Run as separate query:
// _sourceCategory="windows/sysmon" EventCode=1
// (CommandLine="*sc.exe*" OR CommandLine="*net.exe*" OR CommandLine="*net1.exe*")
// (CommandLine="*create*" OR CommandLine="*start*" OR CommandLine="*binpath*" OR CommandLine="*config*")
// | parse regex "ParentImage=(?<parent_image>[^\r\n]+)" nodrop
// | parse regex "CommandLine=(?<cmd_line>[^\r\n]+)" nodrop
// | eval suspicious_parent = if(matches(parent_image, "(?i).*(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msiexec\.exe).*"), 1, 0)
// | eval suspicious_binpath = if(matches(cmd_line, "(?i)binpath.*(temp|appdata|downloads|public|users)"), 1, 0)
// | where suspicious_parent=1 OR suspicious_binpath=1
// | eval risk_score = (suspicious_parent*30)+(suspicious_binpath*40)
// | sort by risk_score desc

// Detection 3: PsExec-style tools (Sysmon Event 1)
// Run as separate query:
// _sourceCategory="windows/sysmon" EventCode=1
// (Image="*psexec.exe" OR Image="*psexec64.exe" OR Image="*paexec.exe" OR Image="*remcom.exe" OR Image="*csexec.exe")
// | eval risk_score=80
// | fields _messagetime, _sourceHost, Image, CommandLine, ParentImage, User, risk_score

high severity high confidence

Data Sources

Windows System Event Log Windows Security Event Log Sysmon Operational Log

Required Tables

windows/system windows/security windows/sysmon

False Positives

Enterprise software deployers (e.g., SCCM, Intune, or third-party deployment tools) that register services with binaries temporarily staged in ProgramData or temp paths before finalizing installation.
Penetration testing teams using PsExec or PAExec during authorized red team engagements — coordinate with security team scheduling to suppress during test windows.
Development and build servers where unit tests or integration tests programmatically install and remove services with binaries in build output directories under user or temp paths.
Legitimate LOLBin usage for service verification, e.g., certutil used by patching scripts to validate service binary integrity by hash comparison before service start.

Google Chronicle / SecOps

yaral

rule T1569_System_Services_Abuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects adversary abuse of system service mechanisms including suspicious service installations, sc.exe manipulation from scripting parents, and PsExec-style remote service creation. Covers Windows Event 7045/4697, Sysmon process events for sc.exe/net.exe, and lateral movement tools."
    mitre_attack_tactic = "Execution, Persistence, Lateral Movement"
    mitre_attack_technique = "T1569"
    severity = "HIGH"
    priority = "HIGH"

  events:
    (
      // Pattern 1: New service installation with suspicious image path (via Windows Event 7045 or Security 4697)
      $e1.metadata.event_type = "GENERIC_EVENT"
      $e1.metadata.product_name = "Microsoft-Windows-Security-Auditing"
      (
        $e1.metadata.product_log_id = "7045"
        OR $e1.metadata.product_log_id = "4697"
      )
      (
        re.regex($e1.target.process.file.full_path, `(?i)\\(Temp|Users|AppData|Downloads|Public|ProgramData)\\`)
        OR re.regex($e1.target.process.file.full_path, `^\\\\[0-9]{1,3}\.[0-9]{1,3}\.`)
        OR re.regex($e1.target.process.file.full_path, `(?i)(certutil|bitsadmin|mshta|regsvr32|rundll32|wmic)\.exe`)
      )
      $e1.principal.hostname = $hostname
    )
    OR
    (
      // Pattern 2: sc.exe or net.exe service manipulation from suspicious parent process
      $e2.metadata.event_type = "PROCESS_LAUNCH"
      (
        re.regex($e2.target.process.file.full_path, `(?i)\\(sc|net|net1)\.exe$`)
      )
      (
        re.regex($e2.target.process.command_line, `(?i)(create|start|config|binpath)`)
      )
      (
        re.regex($e2.principal.process.file.full_path, `(?i)\\(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|msiexec)\.exe$`)
        OR re.regex($e2.target.process.command_line, `(?i)binpath\s*=\s*[^"]*\\(Temp|AppData|Downloads|Public|Users)\\`)
        OR re.regex($e2.target.process.command_line, `(?i)(cmd\.exe /c|powershell)`)
      )
      $e2.principal.hostname = $hostname
    )
    OR
    (
      // Pattern 3: PsExec-style lateral movement tools spawning service-related processes
      $e3.metadata.event_type = "PROCESS_LAUNCH"
      re.regex($e3.principal.process.file.full_path, `(?i)\\(psexec|psexec64|paexec|remcom|csexec)\.exe$`)
      $e3.principal.hostname = $hostname
    )

  condition:
    $e1 or $e2 or $e3
}

high severity high confidence

Data Sources

Windows Event Log (System, Security) Sysmon Process Create CrowdStrike Falcon Carbon Black

Required Tables

GENERIC_EVENT PROCESS_LAUNCH

False Positives

Enterprise software deployment systems (e.g., Microsoft Endpoint Configuration Manager) that stage service binaries in temp or ProgramData before moving them, triggering the suspicious path heuristic.
Authorized use of PSExec or PAExec by IT operations teams performing remote maintenance — establish an allowlist of source hosts and accounts for approved usage.
Security scanning tools (Tenable Nessus, Qualys, Rapid7) that enumerate or interact with services as part of credentialed vulnerability assessment scans.
Software update mechanisms that temporarily use LOLBins like certutil to verify binary integrity before registering updated service binaries.

CrowdStrike LogScale (CQL)

cql

// Detection 1: Service installation with suspicious binary path (Windows Event 7045/4697 equivalent via Falcon)
#event_simpleName=ServiceInstall
| ServiceImagePath = /(?i)\\(Temp|Users|AppData|Downloads|Public|ProgramData)\\/
  OR ServiceImagePath = /^\\\\[0-9]{1,3}\.[0-9]{1,3}\./
  OR ServiceImagePath = /(?i)(certutil|bitsadmin|mshta|regsvr32|rundll32|wmic)\.exe/
| eval suspicious_path = if(ServiceImagePath = /(?i)\\(Temp|Users|AppData|Downloads|Public|ProgramData)\\/, 40, 0)
| eval unc_path = if(ServiceImagePath = /^\\\\[0-9]/, 50, 0)
| eval lolbin_svc = if(ServiceImagePath = /(?i)(certutil|bitsadmin|mshta|regsvr32|rundll32|wmic)/, 60, 0)
| eval risk_score = suspicious_path + unc_path + lolbin_svc
| table([timestamp, ComputerName, UserName, ServiceName, ServiceImagePath, ServiceType, risk_score])
| sort(field=risk_score, order=desc)

// Detection 2: sc.exe/net.exe service manipulation from suspicious parent processes
// Run as separate query:
// #event_simpleName=ProcessRollup2
// FileName in ("sc.exe", "net.exe", "net1.exe")
// CommandLine = /(create|start|config|binpath)/i
// | eval suspicious_parent = if(ParentBaseFileName = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msiexec\.exe)/, 1, 0)
// | eval suspicious_binpath = if(CommandLine = /(?i)binpath\s*=\s*[^"]*\\(temp|appdata|downloads|public|users)\\/i, 1, 0)
// | where suspicious_parent=1 OR suspicious_binpath=1
// | eval risk_score = (suspicious_parent*30)+(suspicious_binpath*40)
// | groupBy([ComputerName, UserName, FileName, CommandLine, ParentBaseFileName], aggregate=[max(risk_score)])
// | sort(field=risk_score, order=desc)

// Detection 3: PsExec-style lateral movement tools
// Run as separate query:
// #event_simpleName=ProcessRollup2
// FileName in ("psexec.exe", "psexec64.exe", "paexec.exe", "remcom.exe", "csexec.exe")
// | eval risk_score=80
// | groupBy([ComputerName, UserName, FileName, CommandLine, ParentBaseFileName], aggregate=[count()])
// | sort(field=risk_score, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR Falcon Process Telemetry Falcon Service Telemetry

Required Tables

ServiceInstall ProcessRollup2

False Positives

Legitimate system management tools installed by IT operations that register services with binaries in ProgramData or user-accessible paths as part of their normal deployment workflow.
Software packaging and testing pipelines on developer or build systems where services are programmatically installed pointing to temp or build output directories.
Approved use of PsExec or PAExec by IT administrators for remote task execution — suppress by creating an allowlist based on source username, source hostname, and target hostname for authorized usage.
Antivirus or EDR updates that temporarily install kernel drivers or service components into non-standard paths and move them during the update cycle.

Last updated: 2026-04-21 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1569 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

System Services

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (3)

Same Tactic: Execution

Popular Detections