T1569 CrowdStrike LogScale · LogScale

Detect System Services in CrowdStrike LogScale

This detection identifies adversaries abusing Windows services, Linux systemd units, and macOS launchd daemons to execute malicious code. Attackers commonly leverage sc.exe, net start, PsExec, systemctl, and launchctl to create or start services that run attacker-controlled binaries. Indicators include services with suspicious binary paths (temp directories, user profile paths, UNC paths), service names mimicking legitimate system services, new service installations from unusual parent processes (cmd.exe, powershell.exe, wscript.exe), and service creations from non-standard accounts. This technique is frequently chained with lateral movement and persistence techniques to achieve remote code execution or maintain footholds across reboots.

MITRE ATT&CK

Tactic
Execution
Technique
T1569 System Services
Canonical reference
https://attack.mitre.org/techniques/T1569/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Detection 1: Service installation with suspicious binary path (Windows Event 7045/4697 equivalent via Falcon)
#event_simpleName=ServiceInstall
| ServiceImagePath = /(?i)\\(Temp|Users|AppData|Downloads|Public|ProgramData)\\/
  OR ServiceImagePath = /^\\\\[0-9]{1,3}\.[0-9]{1,3}\./
  OR ServiceImagePath = /(?i)(certutil|bitsadmin|mshta|regsvr32|rundll32|wmic)\.exe/
| eval suspicious_path = if(ServiceImagePath = /(?i)\\(Temp|Users|AppData|Downloads|Public|ProgramData)\\/, 40, 0)
| eval unc_path = if(ServiceImagePath = /^\\\\[0-9]/, 50, 0)
| eval lolbin_svc = if(ServiceImagePath = /(?i)(certutil|bitsadmin|mshta|regsvr32|rundll32|wmic)/, 60, 0)
| eval risk_score = suspicious_path + unc_path + lolbin_svc
| table([timestamp, ComputerName, UserName, ServiceName, ServiceImagePath, ServiceType, risk_score])
| sort(field=risk_score, order=desc)

// Detection 2: sc.exe/net.exe service manipulation from suspicious parent processes
// Run as separate query:
// #event_simpleName=ProcessRollup2
// FileName in ("sc.exe", "net.exe", "net1.exe")
// CommandLine = /(create|start|config|binpath)/i
// | eval suspicious_parent = if(ParentBaseFileName = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msiexec\.exe)/, 1, 0)
// | eval suspicious_binpath = if(CommandLine = /(?i)binpath\s*=\s*[^"]*\\(temp|appdata|downloads|public|users)\\/i, 1, 0)
// | where suspicious_parent=1 OR suspicious_binpath=1
// | eval risk_score = (suspicious_parent*30)+(suspicious_binpath*40)
// | groupBy([ComputerName, UserName, FileName, CommandLine, ParentBaseFileName], aggregate=[max(risk_score)])
// | sort(field=risk_score, order=desc)

// Detection 3: PsExec-style lateral movement tools
// Run as separate query:
// #event_simpleName=ProcessRollup2
// FileName in ("psexec.exe", "psexec64.exe", "paexec.exe", "remcom.exe", "csexec.exe")
// | eval risk_score=80
// | groupBy([ComputerName, UserName, FileName, CommandLine, ParentBaseFileName], aggregate=[count()])
// | sort(field=risk_score, order=desc)
high severity high confidence

Detects Windows service abuse using CrowdStrike LogScale (CQL) across three patterns: (1) ServiceInstall events with suspicious binary paths including temp directories, user profile paths, UNC paths, and LOLBin executables — with risk scoring to prioritize highest-fidelity signals; (2) sc.exe/net.exe invoked with service creation or modification arguments from scripting engine parent processes via ProcessRollup2; and (3) PsExec-style remote execution tools (psexec.exe, paexec.exe, remcom.exe) that are commonly used to create services for lateral movement.

Data Sources

CrowdStrike Falcon EDRFalcon Process TelemetryFalcon Service Telemetry

Required Tables

ServiceInstallProcessRollup2

False Positives & Tuning

  • Legitimate system management tools installed by IT operations that register services with binaries in ProgramData or user-accessible paths as part of their normal deployment workflow.
  • Software packaging and testing pipelines on developer or build systems where services are programmatically installed pointing to temp or build output directories.
  • Approved use of PsExec or PAExec by IT administrators for remote task execution — suppress by creating an allowlist based on source username, source hostname, and target hostname for authorized usage.
  • Antivirus or EDR updates that temporarily install kernel drivers or service components into non-standard paths and move them during the update cycle.
Download portable Sigma rule (.yml)

Other platforms for T1569

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create and Execute Malicious Service via sc.exe

    Expected signal: SecurityEvent 7045 with ServiceName=AtomicTestSvc and ImagePath containing Temp directory; DeviceProcessEvents showing sc.exe with 'create' and 'binpath' in command line; parent process cmd.exe or PowerShell

  2. Test 2Remote Service Execution via PsExec Simulation

    Expected signal: SecurityEvent 7045 on target host showing UNC path in ImagePath; Sysmon EventCode 3 (network) showing SMB connection to remote host; sc.exe process creation with remote hostname argument

  3. Test 3Linux Malicious Systemd Service Creation

    Expected signal: Syslog or auditd entries showing systemctl execution; file creation event for /etc/systemd/system/atomic-test.service; bash process spawned by systemd with UID=0 executing id command

  4. Test 4Service Creation via PowerShell New-Service Cmdlet

    Expected signal: SecurityEvent 7045 with ServiceName=PSAtomicTestSvc and ImagePath in %TEMP%; PowerShell ScriptBlock log EventID 4104 showing New-Service cmdlet; DeviceProcessEvents showing powershell.exe as initiating process for service creation API calls

Last updated: 2026-04-21 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1569 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1543Create or Modify System ProcessT1059Command and Scripting InterpreterT1047Windows Management InstrumentationT1021.002SMB/Windows Admin SharesT1053.005Scheduled TaskT1078Valid AccountsT1129Shared ModulesT1204.002Malicious File

Same Tactic: Execution

Popular Detections