T1569 Google Chronicle · YARA-L

Detect System Services in Google Chronicle

This detection identifies adversaries abusing Windows services, Linux systemd units, and macOS launchd daemons to execute malicious code. Attackers commonly leverage sc.exe, net start, PsExec, systemctl, and launchctl to create or start services that run attacker-controlled binaries. Indicators include services with suspicious binary paths (temp directories, user profile paths, UNC paths), service names mimicking legitimate system services, new service installations from unusual parent processes (cmd.exe, powershell.exe, wscript.exe), and service creations from non-standard accounts. This technique is frequently chained with lateral movement and persistence techniques to achieve remote code execution or maintain footholds across reboots.

MITRE ATT&CK

Tactic
Execution
Technique
T1569 System Services
Canonical reference
https://attack.mitre.org/techniques/T1569/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule T1569_System_Services_Abuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects adversary abuse of system service mechanisms including suspicious service installations, sc.exe manipulation from scripting parents, and PsExec-style remote service creation. Covers Windows Event 7045/4697, Sysmon process events for sc.exe/net.exe, and lateral movement tools."
    mitre_attack_tactic = "Execution, Persistence, Lateral Movement"
    mitre_attack_technique = "T1569"
    severity = "HIGH"
    priority = "HIGH"

  events:
    (
      // Pattern 1: New service installation with suspicious image path (via Windows Event 7045 or Security 4697)
      $e1.metadata.event_type = "GENERIC_EVENT"
      $e1.metadata.product_name = "Microsoft-Windows-Security-Auditing"
      (
        $e1.metadata.product_log_id = "7045"
        OR $e1.metadata.product_log_id = "4697"
      )
      (
        re.regex($e1.target.process.file.full_path, `(?i)\\(Temp|Users|AppData|Downloads|Public|ProgramData)\\`)
        OR re.regex($e1.target.process.file.full_path, `^\\\\[0-9]{1,3}\.[0-9]{1,3}\.`)
        OR re.regex($e1.target.process.file.full_path, `(?i)(certutil|bitsadmin|mshta|regsvr32|rundll32|wmic)\.exe`)
      )
      $e1.principal.hostname = $hostname
    )
    OR
    (
      // Pattern 2: sc.exe or net.exe service manipulation from suspicious parent process
      $e2.metadata.event_type = "PROCESS_LAUNCH"
      (
        re.regex($e2.target.process.file.full_path, `(?i)\\(sc|net|net1)\.exe$`)
      )
      (
        re.regex($e2.target.process.command_line, `(?i)(create|start|config|binpath)`)
      )
      (
        re.regex($e2.principal.process.file.full_path, `(?i)\\(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|msiexec)\.exe$`)
        OR re.regex($e2.target.process.command_line, `(?i)binpath\s*=\s*[^"]*\\(Temp|AppData|Downloads|Public|Users)\\`)
        OR re.regex($e2.target.process.command_line, `(?i)(cmd\.exe /c|powershell)`)
      )
      $e2.principal.hostname = $hostname
    )
    OR
    (
      // Pattern 3: PsExec-style lateral movement tools spawning service-related processes
      $e3.metadata.event_type = "PROCESS_LAUNCH"
      re.regex($e3.principal.process.file.full_path, `(?i)\\(psexec|psexec64|paexec|remcom|csexec)\.exe$`)
      $e3.principal.hostname = $hostname
    )

  condition:
    $e1 or $e2 or $e3
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting system service abuse across three primary patterns: (1) new service installations via Windows Event 7045/4697 with suspicious binary paths (temp directories, UNC paths, LOLBin executables), (2) sc.exe or net.exe invoked with service creation/modification arguments from known scripting engine parent processes, and (3) PsExec-style remote execution tools used to create or start services for lateral movement or execution.

Data Sources

Windows Event Log (System, Security)Sysmon Process CreateCrowdStrike FalconCarbon Black

Required Tables

GENERIC_EVENTPROCESS_LAUNCH

False Positives & Tuning

  • Enterprise software deployment systems (e.g., Microsoft Endpoint Configuration Manager) that stage service binaries in temp or ProgramData before moving them, triggering the suspicious path heuristic.
  • Authorized use of PSExec or PAExec by IT operations teams performing remote maintenance — establish an allowlist of source hosts and accounts for approved usage.
  • Security scanning tools (Tenable Nessus, Qualys, Rapid7) that enumerate or interact with services as part of credentialed vulnerability assessment scans.
  • Software update mechanisms that temporarily use LOLBins like certutil to verify binary integrity before registering updated service binaries.
Download portable Sigma rule (.yml)

Other platforms for T1569

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create and Execute Malicious Service via sc.exe

    Expected signal: SecurityEvent 7045 with ServiceName=AtomicTestSvc and ImagePath containing Temp directory; DeviceProcessEvents showing sc.exe with 'create' and 'binpath' in command line; parent process cmd.exe or PowerShell

  2. Test 2Remote Service Execution via PsExec Simulation

    Expected signal: SecurityEvent 7045 on target host showing UNC path in ImagePath; Sysmon EventCode 3 (network) showing SMB connection to remote host; sc.exe process creation with remote hostname argument

  3. Test 3Linux Malicious Systemd Service Creation

    Expected signal: Syslog or auditd entries showing systemctl execution; file creation event for /etc/systemd/system/atomic-test.service; bash process spawned by systemd with UID=0 executing id command

  4. Test 4Service Creation via PowerShell New-Service Cmdlet

    Expected signal: SecurityEvent 7045 with ServiceName=PSAtomicTestSvc and ImagePath in %TEMP%; PowerShell ScriptBlock log EventID 4104 showing New-Service cmdlet; DeviceProcessEvents showing powershell.exe as initiating process for service creation API calls

Last updated: 2026-04-21 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1569 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1543Create or Modify System ProcessT1059Command and Scripting InterpreterT1047Windows Management InstrumentationT1021.002SMB/Windows Admin SharesT1053.005Scheduled TaskT1078Valid AccountsT1129Shared ModulesT1204.002Malicious File

Same Tactic: Execution

Popular Detections