T1569 Microsoft Sentinel · KQL

Detect System Services in Microsoft Sentinel

This detection identifies adversaries abusing Windows services, Linux systemd units, and macOS launchd daemons to execute malicious code. Attackers commonly leverage sc.exe, net start, PsExec, systemctl, and launchctl to create or start services that run attacker-controlled binaries. Indicators include services with suspicious binary paths (temp directories, user profile paths, UNC paths), service names mimicking legitimate system services, new service installations from unusual parent processes (cmd.exe, powershell.exe, wscript.exe), and service creations from non-standard accounts. This technique is frequently chained with lateral movement and persistence techniques to achieve remote code execution or maintain footholds across reboots.

MITRE ATT&CK

Tactic
Execution
Technique
T1569 System Services
Canonical reference
https://attack.mitre.org/techniques/T1569/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SuspiciousPaths = dynamic(["\\Temp\\", "\\Users\\", "\\AppData\\", "\\ProgramData\\", "\\Downloads\\", "\\Public\\", "%TEMP%", "%APPDATA%"]);
let SuspiciousParents = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "msiexec.exe"]);
let LolBins = dynamic(["certutil.exe", "bitsadmin.exe", "wmic.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe"]);
union
(
    // New service installations via Security event log
    SecurityEvent
    | where EventID == 7045
    | extend ServiceName = tostring(EventData.ServiceName),
             ServiceFileName = tostring(EventData.ImagePath),
             ServiceType = tostring(EventData.ServiceType),
             ServiceAccount = tostring(EventData.ServiceAccount)
    | where ServiceFileName has_any (SuspiciousPaths)
          or ServiceFileName matches regex @"\\\\[0-9]{1,3}\.[0-9]{1,3}\."  // UNC path
          or ServiceFileName has_any (LolBins)
          or ServiceAccount == "LocalSystem" and ServiceFileName has_any (SuspiciousPaths)
    | project TimeGenerated, Computer, EventID, ServiceName, ServiceFileName, ServiceType, ServiceAccount,
              SourceType = "SecurityEvent-7045"
),
(
    // sc.exe and net.exe service manipulation
    DeviceProcessEvents
    | where FileName in~ ("sc.exe", "net.exe", "net1.exe")
      and ProcessCommandLine has_any ("create", "start", "config", "binpath")
    | where InitiatingProcessFileName has_any (SuspiciousParents)
          or ProcessCommandLine matches regex @"binpath\s*=\s*[^\"]*\\(Temp|AppData|Downloads|Public|Users)\\"
          or ProcessCommandLine has "cmd.exe /c"
          or ProcessCommandLine has "powershell"
    | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine,
              InitiatingProcessFileName, InitiatingProcessCommandLine,
              InitiatingProcessParentFileName, SourceType = "DeviceProcessEvents-sc"
),
(
    // PsExec-style remote service creation indicators
    DeviceProcessEvents
    | where FileName =~ "services.exe"
    | where InitiatingProcessFileName has_any ("psexec.exe", "psexec64.exe", "paexec.exe", "remcom.exe", "csexec.exe")
    | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine,
              InitiatingProcessFileName, InitiatingProcessCommandLine, SourceType = "DeviceProcessEvents-psexec"
),
(
    // Suspicious service binaries created in temp paths
    DeviceFileEvents
    | where ActionType == "FileCreated"
    | where FolderPath has_any (SuspiciousPaths)
    | where FileName endswith ".exe" or FileName endswith ".dll"
    | join kind=inner (
        SecurityEvent
        | where EventID == 7045
        | extend ServiceFileName = tostring(EventData.ImagePath)
        | project ServiceFileName, ServiceName = tostring(EventData.ServiceName), ServiceInstallTime = TimeGenerated
    ) on $left.FolderPath == $right.ServiceFileName
    | project TimeGenerated, DeviceName, FileName, FolderPath, ServiceName, ServiceInstallTime, SourceType = "FileCreated-ServiceBinary"
)
| order by TimeGenerated desc
high severity medium confidence

Detects service abuse for code execution by correlating Security Event 7045 (new service installed) with suspicious binary paths, sc.exe/net.exe usage from unexpected parent processes, PsExec-style remote service creation, and service binaries written to temp/user directories. Unions multiple detection angles to catch both local and remote service execution patterns.

Data Sources

Microsoft Defender for EndpointMicrosoft SentinelWindows Security Events

Required Tables

SecurityEventDeviceProcessEventsDeviceFileEvents

False Positives & Tuning

  • IT automation tools (SCCM, Ansible, Chef) creating services during software deployment
  • Legitimate software installers that write binaries to AppData before creating services
  • Vulnerability scanners and EDR agents that enumerate or interact with the service control manager
  • Help desk remote management tools (TeamViewer, ConnectWise) that install services temporarily
  • Developer workstations running test services from non-standard paths during development
Download portable Sigma rule (.yml)

Other platforms for T1569

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create and Execute Malicious Service via sc.exe

    Expected signal: SecurityEvent 7045 with ServiceName=AtomicTestSvc and ImagePath containing Temp directory; DeviceProcessEvents showing sc.exe with 'create' and 'binpath' in command line; parent process cmd.exe or PowerShell

  2. Test 2Remote Service Execution via PsExec Simulation

    Expected signal: SecurityEvent 7045 on target host showing UNC path in ImagePath; Sysmon EventCode 3 (network) showing SMB connection to remote host; sc.exe process creation with remote hostname argument

  3. Test 3Linux Malicious Systemd Service Creation

    Expected signal: Syslog or auditd entries showing systemctl execution; file creation event for /etc/systemd/system/atomic-test.service; bash process spawned by systemd with UID=0 executing id command

  4. Test 4Service Creation via PowerShell New-Service Cmdlet

    Expected signal: SecurityEvent 7045 with ServiceName=PSAtomicTestSvc and ImagePath in %TEMP%; PowerShell ScriptBlock log EventID 4104 showing New-Service cmdlet; DeviceProcessEvents showing powershell.exe as initiating process for service creation API calls

Last updated: 2026-04-21 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1569 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1543Create or Modify System ProcessT1059Command and Scripting InterpreterT1047Windows Management InstrumentationT1021.002SMB/Windows Admin SharesT1053.005Scheduled TaskT1078Valid AccountsT1129Shared ModulesT1204.002Malicious File

Same Tactic: Execution

Popular Detections