T1569 Elastic Security · Elastic

Detect System Services in Elastic Security

This detection identifies adversaries abusing Windows services, Linux systemd units, and macOS launchd daemons to execute malicious code. Attackers commonly leverage sc.exe, net start, PsExec, systemctl, and launchctl to create or start services that run attacker-controlled binaries. Indicators include services with suspicious binary paths (temp directories, user profile paths, UNC paths), service names mimicking legitimate system services, new service installations from unusual parent processes (cmd.exe, powershell.exe, wscript.exe), and service creations from non-standard accounts. This technique is frequently chained with lateral movement and persistence techniques to achieve remote code execution or maintain footholds across reboots.

MITRE ATT&CK

Tactic
Execution
Technique
T1569 System Services
Canonical reference
https://attack.mitre.org/techniques/T1569/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
[
  any where event.category == "process" and
  process.name in~ ("sc.exe", "net.exe", "net1.exe") and
  (
    process.args : ("create", "start", "config", "binpath") and
    (
      process.parent.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "msiexec.exe") or
      process.command_line : ("*binpath*\\Temp\\*", "*binpath*\\AppData\\*", "*binpath*\\Downloads\\*", "*binpath*\\Public\\*", "*binpath*\\Users\\*", "*cmd.exe /c*", "*powershell*")
    )
  )
] by process.pid

OR

sequence by host.name with maxspan=2m
[
  any where event.category == "process" and
  process.name in~ ("psexec.exe", "psexec64.exe", "paexec.exe", "remcom.exe", "csexec.exe")
] by process.pid
[
  any where event.category == "process" and
  process.name == "services.exe"
] by process.parent.pid

OR

any where event.category == "file" and event.action == "creation" and
(
  file.path : ("*\\Temp\\*.exe", "*\\Temp\\*.dll", "*\\Users\\*\\AppData\\*.exe", "*\\Downloads\\*.exe", "*\\Public\\*.exe")
) and
process.name in~ ("services.exe", "sc.exe", "svchost.exe")
high severity high confidence

Detects adversaries abusing Windows service creation and manipulation via suspicious binary paths, LOLBin service registrations, PsExec-style remote service creation, and service binaries dropped into temp or user-writable directories. Covers sc.exe/net.exe launched from scripting engines, PsExec chaining into services.exe, and new service executables written to suspicious filesystem locations.

Data Sources

Windows Process EventsWindows File EventsSysmon (ECS-normalized)

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.file-*logs-system.security*winlogbeat-*

False Positives & Tuning

  • Legitimate software installers that use sc.exe from cmd.exe or PowerShell during installation pipelines (e.g., NSIS, Inno Setup, WiX toolchain installers).
  • IT automation tools such as Ansible, Chef, or Puppet that invoke sc.exe or net.exe via cmd.exe wrappers to manage services during provisioning.
  • Remote management agents (e.g., ConnectWise, Kaseya, Datto RMM) that create or modify services from AppData or ProgramData paths as part of their normal update mechanisms.
  • Security software (EDR, AV) that installs kernel drivers or service components into non-standard paths during updates.
  • PsExec used legitimately by sysadmins for remote task execution in environments where it is an approved tool.
Download portable Sigma rule (.yml)

Other platforms for T1569

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create and Execute Malicious Service via sc.exe

    Expected signal: SecurityEvent 7045 with ServiceName=AtomicTestSvc and ImagePath containing Temp directory; DeviceProcessEvents showing sc.exe with 'create' and 'binpath' in command line; parent process cmd.exe or PowerShell

  2. Test 2Remote Service Execution via PsExec Simulation

    Expected signal: SecurityEvent 7045 on target host showing UNC path in ImagePath; Sysmon EventCode 3 (network) showing SMB connection to remote host; sc.exe process creation with remote hostname argument

  3. Test 3Linux Malicious Systemd Service Creation

    Expected signal: Syslog or auditd entries showing systemctl execution; file creation event for /etc/systemd/system/atomic-test.service; bash process spawned by systemd with UID=0 executing id command

  4. Test 4Service Creation via PowerShell New-Service Cmdlet

    Expected signal: SecurityEvent 7045 with ServiceName=PSAtomicTestSvc and ImagePath in %TEMP%; PowerShell ScriptBlock log EventID 4104 showing New-Service cmdlet; DeviceProcessEvents showing powershell.exe as initiating process for service creation API calls

Last updated: 2026-04-21 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1569 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1543Create or Modify System ProcessT1059Command and Scripting InterpreterT1047Windows Management InstrumentationT1021.002SMB/Windows Admin SharesT1053.005Scheduled TaskT1078Valid AccountsT1129Shared ModulesT1204.002Malicious File

Same Tactic: Execution

Popular Detections