Detect System Services in IBM QRadar
This detection identifies adversaries abusing Windows services, Linux systemd units, and macOS launchd daemons to execute malicious code. Attackers commonly leverage sc.exe, net start, PsExec, systemctl, and launchctl to create or start services that run attacker-controlled binaries. Indicators include services with suspicious binary paths (temp directories, user profile paths, UNC paths), service names mimicking legitimate system services, new service installations from unusual parent processes (cmd.exe, powershell.exe, wscript.exe), and service creations from non-standard accounts. This technique is frequently chained with lateral movement and persistence techniques to achieve remote code execution or maintain footholds across reboots.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1569 System Services
- Canonical reference
- https://attack.mitre.org/techniques/T1569/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
QIDNAME(qid) AS event_name,
"username" AS account_name,
"sourceip" AS source_ip,
"hostname" AS host_name,
CATEGORYNAME(category) AS event_category,
"ServiceName" AS service_name,
"ImagePath" AS image_path,
"ServiceAccount" AS service_account,
CASE
WHEN LOWER("ImagePath") MATCHES '.*\\\\(temp|users|appdata|downloads|public|programdata)\\\\.*' THEN 40
ELSE 0
END +
CASE
WHEN "ImagePath" MATCHES '^\\\\\\\\[0-9]{1,3}\\.' THEN 50
ELSE 0
END +
CASE
WHEN LOWER("ImagePath") MATCHES '.*(certutil|bitsadmin|mshta|regsvr32|rundll32|wmic).*' THEN 60
ELSE 0
END AS risk_score
FROM events
WHERE
LOGSOURCETYPEID(logsourceid) IN (12, 13, 14, 15) -- Windows Security/System event logs
AND (
(qid = 5000700 -- Service Control Manager 7045 new service installed
OR qid = 5000100 -- Security event 4697 service installed
) AND (
LOWER("ImagePath") MATCHES '.*\\\\(temp|users|appdata|downloads|public|programdata)\\\\.*'
OR "ImagePath" MATCHES '^\\\\\\\\[0-9]'
OR LOWER("ImagePath") MATCHES '.*(certutil|bitsadmin|mshta|regsvr32|rundll32|wmic).*'
)
)
OR (
LOWER("CommandLine") MATCHES '.*(sc\.exe|net\.exe|net1\.exe).*(create|start|config|binpath).*'
AND (
LOWER("ParentProcessPath") MATCHES '.*(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msiexec\.exe).*'
OR LOWER("CommandLine") MATCHES '.*binpath.*(temp|appdata|downloads|public|users).*'
)
)
OR (
LOWER("ProcessPath") MATCHES '.*(psexec\.exe|psexec64\.exe|paexec\.exe|remcom\.exe|csexec\.exe).*'
)
ORDER BY risk_score DESC, starttime DESC
LAST 24 HOURSDetects system service abuse via IBM QRadar AQL by querying Windows Security and System event logs for new service installations (Event IDs 7045/4697) with suspicious binary paths, UNC paths, or LOLBin executables as the service image. Also identifies sc.exe/net.exe service manipulation launched from scripting engine parents, and PsExec-style remote service creation tools. Risk scoring prioritizes UNC path and LOLBin-based service registrations.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate enterprise software deployments that install services with binaries staged in user or temp directories before moving them to program directories.
- Vulnerability scanning tools or patch management systems that enumerate or restart services using sc.exe from automated scripting contexts.
- Software development workflows on developer workstations where test services are registered pointing to build output directories under user profiles.
- Remote administration via PSExec in environments where it is explicitly sanctioned and documented as an approved remote management method.
Other platforms for T1569
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create and Execute Malicious Service via sc.exe
Expected signal: SecurityEvent 7045 with ServiceName=AtomicTestSvc and ImagePath containing Temp directory; DeviceProcessEvents showing sc.exe with 'create' and 'binpath' in command line; parent process cmd.exe or PowerShell
- Test 2Remote Service Execution via PsExec Simulation
Expected signal: SecurityEvent 7045 on target host showing UNC path in ImagePath; Sysmon EventCode 3 (network) showing SMB connection to remote host; sc.exe process creation with remote hostname argument
- Test 3Linux Malicious Systemd Service Creation
Expected signal: Syslog or auditd entries showing systemctl execution; file creation event for /etc/systemd/system/atomic-test.service; bash process spawned by systemd with UID=0 executing id command
- Test 4Service Creation via PowerShell New-Service Cmdlet
Expected signal: SecurityEvent 7045 with ServiceName=PSAtomicTestSvc and ImagePath in %TEMP%; PowerShell ScriptBlock log EventID 4104 showing New-Service cmdlet; DeviceProcessEvents showing powershell.exe as initiating process for service creation API calls
References (9)
- https://attack.mitre.org/techniques/T1569/
- https://attack.mitre.org/techniques/T1569/001/
- https://attack.mitre.org/techniques/T1569/002/
- https://attack.mitre.org/techniques/T1569/003/
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-7045
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md
- https://www.cybereason.com/blog/research/cybereason-vs-darkside-ransomware
- https://www.crowdstrike.com/blog/wizard-spider-adversary-update/
Unlock Pro Content
Get the full detection package for T1569 including response playbook, investigation guide, and atomic red team tests.