Detect Service Execution in Google Chronicle
Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services. Adversaries can create new services or modify existing ones to execute malicious binaries, scripts, or commands. Tools such as sc.exe, PsExec, and Net can be used locally or against remote targets. PsExec creates a temporary service (PSEXESVC) that executes the specified payload as SYSTEM. This technique is commonly used by ransomware families (NotPetya, Bad Rabbit, Ragnar Locker), APT groups (Chimera, APT39), and C2 frameworks (Cobalt Strike, Brute Ratel C4) for lateral movement, privilege escalation, and persistence.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1569 System Services
- Sub-technique
- T1569.002 Service Execution
- Canonical reference
- https://attack.mitre.org/techniques/T1569/002/
YARA-L Detection Query
rule service_execution_abuse {
meta:
author = "Detection Engineering"
description = "Detects service execution abuse via sc.exe, PsExec, and WMI (T1569.002)"
severity = "HIGH"
tactic = "TA0002"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
(re.regex($e.target.process.file.full_path, `(?i)\sc\.exe`) nocase and
re.regex($e.target.process.command_line, `(?i)(create|config).*(\Temp\|cmd\.exe|powershell|\AppData\)`) nocase) or
re.regex($e.target.process.file.full_path, `(?i)psexec(64)?\.exe`) nocase or
(re.regex($e.target.process.file.full_path, `(?i)wmic\.exe`) nocase and
re.regex($e.target.process.command_line, `(?i)process call create`) nocase and
re.regex($e.principal.process.file.full_path, `(?i)(cmd\.exe|powershell|wscript|cscript|mshta)`) nocase)
)
condition:
$e
}Chronicle YARA-L rule detecting service execution abuse patterns via sc.exe, PsExec, and WMI.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software installers (antivirus, monitoring agents, backup solutions) that register Windows services during installation
- IT administrative tools (PsExec used by sysadmins for remote management, SCCM/Intune deploying service-based software)
- Security software and EDR agents that create services for kernel drivers or protection modules
- Legitimate automation frameworks (Ansible, Chef, Puppet) that deploy services as part of configuration management
- Application deployment pipelines in CI/CD environments creating temporary services for testing
Other platforms for T1569.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Service Creation and Execution via sc.exe with cmd.exe Payload
Expected signal: Windows System Event ID 7045: New service 'ArgusTestSvc' installed with ImagePath='cmd.exe /c echo ArgusTest > C:\Windows\Temp\argus_svc_test.txt'. Windows Security Event ID 4697: service installed. Sysmon Event ID 1: sc.exe process creation with full command line. Sysmon Event ID 11: file created at C:\Windows\Temp\argus_svc_test.txt by the service's cmd.exe child process.
- Test 2Service Creation with PowerShell Payload in Temp Directory
Expected signal: Sysmon Event ID 11: file created at C:\Windows\Temp\argus_payload.ps1. Sysmon Event ID 1: sc.exe create with CommandLine containing 'powershell.exe' and 'C:\Windows\Temp'. Windows System Event ID 7045: new service with ImagePath in temp directory. Windows Security Event ID 4697: service installed. Sysmon Event ID 1: powershell.exe launched by services.exe when sc start runs.
- Test 3PsExec Local SYSTEM Execution via Service
Expected signal: Sysmon Event ID 1: PSEXESVC.exe process created by services.exe running as SYSTEM. Windows Security Event ID 4697: PSEXESVC service installed. Windows Security Event ID 4624: Logon Type 3 (network logon) if using PsExec against a remote target. Sysmon Event ID 11: file written to C:\Windows\Temp\argus_psexec_test.txt by cmd.exe child of PSEXESVC.
- Test 4Net Command Service Start for Execution
Expected signal: Sysmon Event ID 1: sc.exe creating ArgusNetSvc with cmd.exe binpath. Sysmon Event ID 1: net.exe process creation with CommandLine 'net start ArgusNetSvc'. Windows System Event ID 7036: 'ArgusNetSvc service entered the running state'. Windows Security Event ID 4697: service installed. File creation event for the temp output file.
References (10)
- https://attack.mitre.org/techniques/T1569/002/
- https://docs.microsoft.com/windows/win32/services/service-control-manager
- https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md
- https://www.trellix.com/en-us/about/newsroom/stories/research/darkgate-opens-organizations-to-attack.html
- https://www.talos-intelligence.com/blog/nyetya-potentially-devastating-wiper-masquerading-ransomware
- https://www.sophos.com/en-us/threat-center/threat-analyses/active-adversary-playbook-2021
- https://research.nccgroup.com/2021/01/12/abused-legitimate-remote-administration-tools-in-targeted-intrusions/
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_service_installation.yml
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
Unlock Pro Content
Get the full detection package for T1569.002 including response playbook, investigation guide, and atomic red team tests.