T1569.002 Service Execution Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detection 1: New service created with suspicious binary path
let SuspiciousPaths = dynamic([
  "\\Temp\\", "\\tmp\\", "\\Users\\Public\\", "\\AppData\\Local\\Temp\\",
  "\\Downloads\\", "\\Desktop\\", "\\ProgramData\\"
]);
let SuspiciousBinaries = dynamic([
  "cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe",
  "cscript.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
  "bitsadmin.exe", "msbuild.exe", "wmic.exe"
]);
// Service installation events via Security log (Event ID 4697) or System log (Event ID 7045)
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4697
| extend ServiceName = tostring(EventData.ServiceName)
| extend ServiceFileName = tostring(EventData.ServiceFileName)
| extend ServiceAccountName = tostring(EventData.ServiceAccount)
| extend SubjectUserName = tostring(EventData.SubjectUserName)
| extend SubjectDomainName = tostring(EventData.SubjectDomainName)
| where ServiceFileName has_any (SuspiciousPaths)
       or ServiceFileName has_any (SuspiciousBinaries)
       or ServiceFileName matches regex @"\\[a-z0-9]{8,16}\.exe"
       or ServiceName matches regex @"^[a-z0-9]{6,12}$"
| project TimeGenerated, Computer, EventID, ServiceName, ServiceFileName, ServiceAccountName, SubjectUserName, SubjectDomainName
| union (
// Detection 2: sc.exe or PsExec creating or starting services
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "sc.exe"
| where ProcessCommandLine has_any ("create", "start", "config", "binpath")
| where ProcessCommandLine has_any (SuspiciousPaths)
       or ProcessCommandLine has_any (SuspiciousBinaries)
       or ProcessCommandLine has_any ("cmd /c", "cmd.exe /c", "powershell", "\\\\\\\\")
| project TimeGenerated=Timestamp, Computer=DeviceName, EventID=int(null),
         ServiceName=tostring(split(ProcessCommandLine, " ")[2]),
         ServiceFileName=ProcessCommandLine,
         ServiceAccountName="",
         SubjectUserName=AccountName,
         SubjectDomainName=AccountDomain
)
| union (
// Detection 3: PsExec service signature (PSEXESVC)
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "PSEXESVC.exe"
       or ProcessCommandLine has "psexec"
       or InitiatingProcessFileName =~ "PsExec.exe"
       or InitiatingProcessFileName =~ "PsExec64.exe"
| project TimeGenerated=Timestamp, Computer=DeviceName, EventID=int(null),
         ServiceName="PSEXESVC",
         ServiceFileName=ProcessCommandLine,
         ServiceAccountName="SYSTEM",
         SubjectUserName=AccountName,
         SubjectDomainName=AccountDomain
)
| sort by TimeGenerated desc

high severity high confidence

Data Sources

Windows Security Event Log (Event ID 4697) Windows System Event Log (Event ID 7045) Process: Process Creation Microsoft Defender for Endpoint

Required Tables

SecurityEvent DeviceProcessEvents

False Positives

Legitimate software installers (antivirus, monitoring agents, backup solutions) that register Windows services during installation
IT administrative tools (PsExec used by sysadmins for remote management, SCCM/Intune deploying service-based software)
Security software and EDR agents that create services for kernel drivers or protection modules
Legitimate automation frameworks (Ansible, Chef, Puppet) that deploy services as part of configuration management
Application deployment pipelines in CI/CD environments creating temporary services for testing

Splunk

spl

| union
[
search index=wineventlog (sourcetype="WinEventLog:Security" EventCode=4697) OR (sourcetype="WinEventLog:System" EventCode=7045)
| eval ServiceName=coalesce(Service_Name, service_name, ServiceName)
| eval ServiceFileName=coalesce(Service_File_Name, service_file_name, ImagePath)
| eval SubjectUser=coalesce(Subject_User_Name, AccountName, user)
| eval IsSuspiciousPath=if(match(lower(ServiceFileName), "(\\\\temp\\\\|\\\\tmp\\\\|\\\\users\\\\public\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\downloads\\\\|\\\\desktop\\\\|\\\\programdata\\\\)"), 1, 0)
| eval IsSuspiciousBinary=if(match(lower(ServiceFileName), "(cmd\.exe|powershell\.exe|pwsh\.exe|mshta\.exe|wscript\.exe|cscript\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msbuild\.exe|wmic\.exe)"), 1, 0)
| eval HasCmdFlag=if(match(lower(ServiceFileName), "(cmd\s+/c|cmd\.exe\s+/c|/c\s+powershell)"), 1, 0)
| eval RandomName=if(match(lower(ServiceName), "^[a-z0-9]{6,12}$"), 1, 0)
| eval SuspicionScore=IsSuspiciousPath + IsSuspiciousBinary + HasCmdFlag + RandomName
| where SuspicionScore > 0
| eval DetectionSource=EventCode
| table _time, host, SubjectUser, ServiceName, ServiceFileName, EventCode, IsSuspiciousPath, IsSuspiciousBinary, HasCmdFlag, RandomName, SuspicionScore
]
[
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\sc.exe" OR Image="*\\sc")
  (CommandLine="*create*" OR CommandLine="*binpath*" OR CommandLine="*config*")
| eval ServiceFileName=CommandLine
| eval IsSuspiciousPath=if(match(lower(CommandLine), "(\\\\temp\\\\|\\\\tmp\\\\|\\\\users\\\\public\\\\|\\\\appdata\\\\|\\\\downloads\\\\|\\\\desktop\\\\|\\\\programdata\\\\)"), 1, 0)
| eval IsSuspiciousBinary=if(match(lower(CommandLine), "(cmd\.exe|powershell\.exe|pwsh\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe)"), 1, 0)
| eval HasCmdFlag=if(match(lower(CommandLine), "cmd\s*/c|/c\s*powershell"), 1, 0)
| eval SuspicionScore=IsSuspiciousPath + IsSuspiciousBinary + HasCmdFlag
| where SuspicionScore > 0
| eval DetectionSource="sc.exe"
| table _time, host, User, Image, CommandLine, ParentImage, IsSuspiciousPath, IsSuspiciousBinary, HasCmdFlag, SuspicionScore
]
[
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\PSEXESVC.exe" OR ParentImage="*\\PsExec.exe" OR ParentImage="*\\PsExec64.exe" OR CommandLine="*psexec*")
| eval SuspicionScore=3
| eval DetectionSource="PsExec"
| table _time, host, User, Image, CommandLine, ParentImage, SuspicionScore
]
| sort - _time

high severity high confidence

Data Sources

Windows Security Event Log (Event ID 4697) Windows System Event Log (Event ID 7045) Sysmon Event ID 1 (Process Create)

Required Sourcetypes

WinEventLog:Security WinEventLog:System XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate software installers (antivirus, monitoring agents, backup solutions) that register Windows services during installation
IT administrative tools (PsExec used by sysadmins for remote management, SCCM/Intune deploying service-based software)
Security software and EDR agents that create services for kernel drivers or protection modules
Legitimate automation frameworks (Ansible, Chef, Puppet) that deploy services as part of configuration management
Application deployment pipelines in CI/CD environments creating temporary services for testing

Elastic Security (EQL)

eql

any where
  (event.category == "process" and event.type == "start" and
   (
    (process.name : ("sc.exe") and process.args : ("create","start","config") and
     (process.args : ("*\\Temp\\*","*\\AppData\\*","*\\Users\\Public\\*",
                       "cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe"))) or
    (process.name : ("PsExec.exe","psexec.exe","PsExec64.exe") and
     (process.args : ("-s","/s","-i","/i") or process.args_count > 3)) or
    (process.name : ("wmic.exe") and
     process.args : ("process","call","create") and
     process.parent.name : ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","mshta.exe"))
   )) or
  (event.category == "registry" and
   registry.path : "HKLM\\SYSTEM\\CurrentControlSet\\Services\\*\\ImagePath" and
   (registry.data.strings : ("*\\Temp\\*","*cmd.exe*","*powershell.exe*","*\\AppData\\*")))

high severity high confidence

Data Sources

Windows Process Events Windows Registry Events

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.registry-*

False Positives

Legitimate software installers (antivirus, monitoring agents, backup solutions) that register Windows services during installation
IT administrative tools (PsExec used by sysadmins for remote management, SCCM/Intune deploying service-based software)
Security software and EDR agents that create services for kernel drivers or protection modules
Legitimate automation frameworks (Ansible, Chef, Puppet) that deploy services as part of configuration management
Application deployment pipelines in CI/CD environments creating temporary services for testing

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource, username as User,
  "Image" as ProcessImage, "CommandLine" as CommandLine, "ParentImage" as ParentProcess,
  CASE WHEN "Image" ILIKE '%psexec%' AND "CommandLine" ILIKE '% -s %' THEN 10
       WHEN "Image" ILIKE '%sc.exe%' AND "CommandLine" ILIKE '%(\Temp\|cmd.exe|powershell)%' THEN 9
       WHEN "Image" ILIKE '%wmic.exe%' AND "CommandLine" ILIKE '%process call create%' THEN 9
       ELSE 6 END as RiskScore
FROM events
WHERE eventid IN (1, 4688, 7045)
  AND (
    ("Image" ILIKE '%sc.exe%' AND
     ("CommandLine" ILIKE '%create%' OR "CommandLine" ILIKE '%config%') AND
     ("CommandLine" ILIKE '%\Temp\%' OR "CommandLine" ILIKE '%cmd.exe%'
      OR "CommandLine" ILIKE '%powershell%' OR "CommandLine" ILIKE '%\AppData\%'))
    OR ("Image" ILIKE '%psexec%' AND "CommandLine" ILIKE ANY ('% -s %','% /s %'))
    OR ("Image" ILIKE '%wmic.exe%' AND "CommandLine" ILIKE '%process call create%' AND
        LOWER("ParentImage") LIKE ANY ('%cmd%','%powershell%','%wscript%','%cscript%','%mshta%'))
  )
ORDER BY RiskScore DESC, EventTime DESC

high severity high confidence

Data Sources

Windows Security Event Log Windows Sysmon

Required Tables

events

False Positives

Legitimate software installers (antivirus, monitoring agents, backup solutions) that register Windows services during installation
IT administrative tools (PsExec used by sysadmins for remote management, SCCM/Intune deploying service-based software)
Security software and EDR agents that create services for kernel drivers or protection modules
Legitimate automation frameworks (Ansible, Chef, Puppet) that deploy services as part of configuration management
Application deployment pipelines in CI/CD environments creating temporary services for testing

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| json auto
| where EventID in ("1","4688","7045")
| eval ImageLower = toLower(coalesce(Image, NewProcessName, ""))
| eval CmdLower = toLower(coalesce(CommandLine,""))
| eval ParentLower = toLower(coalesce(ParentImage,""))
| eval is_sc_abuse = if(ImageLower matches ".*sc\.exe$" AND
    CmdLower matches ".*(create|config).*" AND
    CmdLower matches ".*(\\temp\\|\\appdata\\|cmd\.exe|powershell)", 1, 0)
| eval is_psexec = if(ImageLower matches ".*psexec(64)?\.exe$" AND
    (CmdLower matches ".*( -s | /s ).*" OR length(CmdLower) > length(ImageLower) + 20), 1, 0)
| eval is_wmic_exec = if(ImageLower matches ".*wmic\.exe$" AND
    CmdLower matches ".*process call create.*" AND
    ParentLower matches ".*(cmd|powershell|wscript|cscript|mshta).*", 1, 0)
| where is_sc_abuse == 1 OR is_psexec == 1 OR is_wmic_exec == 1
| eval detection_type = case(is_sc_abuse == 1, "SC_Service_Abuse",
    is_psexec == 1, "PsExec_Execution",
    is_wmic_exec == 1, "WMI_Process_Create", true(), "Service_Execution")
| table _time, Computer, User, Image, CommandLine, ParentImage, detection_type
| sort by _time desc

high severity high confidence

Data Sources

Windows Sysmon via Sumo Logic Windows Security via Sumo Logic

Required Tables

windows/sysmon windows/security

False Positives

Legitimate software installers (antivirus, monitoring agents, backup solutions) that register Windows services during installation
IT administrative tools (PsExec used by sysadmins for remote management, SCCM/Intune deploying service-based software)
Security software and EDR agents that create services for kernel drivers or protection modules
Legitimate automation frameworks (Ansible, Chef, Puppet) that deploy services as part of configuration management
Application deployment pipelines in CI/CD environments creating temporary services for testing

Google Chronicle / SecOps

yaral

rule service_execution_abuse {
  meta:
    author = "Detection Engineering"
    description = "Detects service execution abuse via sc.exe, PsExec, and WMI (T1569.002)"
    severity = "HIGH"
    tactic = "TA0002"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (re.regex($e.target.process.file.full_path, `(?i)\sc\.exe`) nocase and
       re.regex($e.target.process.command_line, `(?i)(create|config).*(\Temp\|cmd\.exe|powershell|\AppData\)`) nocase) or
      re.regex($e.target.process.file.full_path, `(?i)psexec(64)?\.exe`) nocase or
      (re.regex($e.target.process.file.full_path, `(?i)wmic\.exe`) nocase and
       re.regex($e.target.process.command_line, `(?i)process call create`) nocase and
       re.regex($e.principal.process.file.full_path, `(?i)(cmd\.exe|powershell|wscript|cscript|mshta)`) nocase)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Windows Process Events via Chronicle UDM

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate software installers (antivirus, monitoring agents, backup solutions) that register Windows services during installation
IT administrative tools (PsExec used by sysadmins for remote management, SCCM/Intune deploying service-based software)
Security software and EDR agents that create services for kernel drivers or protection modules
Legitimate automation frameworks (Ansible, Chef, Puppet) that deploy services as part of configuration management
Application deployment pipelines in CI/CD environments creating temporary services for testing

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| (ImageFileName = /sc\.exe$/i AND CommandLine = /(create|config)/i AND
   CommandLine = /(\Temp\|\AppData\|cmd\.exe|powershell)/i)
  OR (ImageFileName = /psexec(64)?\.exe$/i AND CommandLine = /\s(-s|\/s)\s/i)
  OR (ImageFileName = /wmic\.exe$/i AND CommandLine = /process call create/i AND
      ParentBaseFileName = /(cmd|powershell|pwsh|wscript|cscript|mshta)\.exe$/i)
| eval detection_type = case {
    ImageFileName = /psexec/i : "PsExec_Execution";
    ImageFileName = /wmic\.exe$/i : "WMI_Process_Create";
    ImageFileName = /sc\.exe$/i : "SC_Service_Abuse";
    * : "Service_Execution"
  }
| table timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, detection_type
| sort by timestamp desc

high severity high confidence

Data Sources

CrowdStrike Falcon Process Events

Required Tables

ProcessRollup2

False Positives

Legitimate software installers (antivirus, monitoring agents, backup solutions) that register Windows services during installation
IT administrative tools (PsExec used by sysadmins for remote management, SCCM/Intune deploying service-based software)
Security software and EDR agents that create services for kernel drivers or protection modules
Legitimate automation frameworks (Ansible, Chef, Puppet) that deploy services as part of configuration management
Application deployment pipelines in CI/CD environments creating temporary services for testing

Service Execution

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections