T1569 Sumo Logic CSE · Sumo

Detect System Services in Sumo Logic CSE

This detection identifies adversaries abusing Windows services, Linux systemd units, and macOS launchd daemons to execute malicious code. Attackers commonly leverage sc.exe, net start, PsExec, systemctl, and launchctl to create or start services that run attacker-controlled binaries. Indicators include services with suspicious binary paths (temp directories, user profile paths, UNC paths), service names mimicking legitimate system services, new service installations from unusual parent processes (cmd.exe, powershell.exe, wscript.exe), and service creations from non-standard accounts. This technique is frequently chained with lateral movement and persistence techniques to achieve remote code execution or maintain footholds across reboots.

MITRE ATT&CK

Tactic
Execution
Technique
T1569 System Services
Canonical reference
https://attack.mitre.org/techniques/T1569/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
// Detection 1: New service installations with suspicious paths (Windows Event 7045/4697)
(_sourceCategory="windows/system" OR _sourceCategory="windows/security")
| where EventCode in ("7045", "4697")
| parse "ServiceName=*" as service_name nodrop
| parse "ImagePath=*" as image_path nodrop
| parse "ServiceAccount=*" as service_account nodrop
| eval suspicious_path = if(matches(image_path, "(?i).*\\\\(Temp|Users|AppData|Downloads|Public|ProgramData)\\\\.*"), 1, 0)
| eval unc_path = if(matches(image_path, "^\\\\\\\\[0-9]{1,3}\\."), 1, 0)
| eval lolbin_svc = if(matches(image_path, "(?i).*(certutil|bitsadmin|mshta|regsvr32|rundll32|wmic).*"), 1, 0)
| eval risk_score = (suspicious_path * 40) + (unc_path * 50) + (lolbin_svc * 60)
| where risk_score > 0
| fields _messagetime, _sourceHost, EventCode, service_name, image_path, service_account, risk_score, suspicious_path, unc_path, lolbin_svc
| sort by risk_score desc, _messagetime desc

// Detection 2: sc.exe/net.exe service manipulation from suspicious parents (Sysmon Event 1)
// Run as separate query:
// _sourceCategory="windows/sysmon" EventCode=1
// (CommandLine="*sc.exe*" OR CommandLine="*net.exe*" OR CommandLine="*net1.exe*")
// (CommandLine="*create*" OR CommandLine="*start*" OR CommandLine="*binpath*" OR CommandLine="*config*")
// | parse regex "ParentImage=(?<parent_image>[^\r\n]+)" nodrop
// | parse regex "CommandLine=(?<cmd_line>[^\r\n]+)" nodrop
// | eval suspicious_parent = if(matches(parent_image, "(?i).*(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msiexec\.exe).*"), 1, 0)
// | eval suspicious_binpath = if(matches(cmd_line, "(?i)binpath.*(temp|appdata|downloads|public|users)"), 1, 0)
// | where suspicious_parent=1 OR suspicious_binpath=1
// | eval risk_score = (suspicious_parent*30)+(suspicious_binpath*40)
// | sort by risk_score desc

// Detection 3: PsExec-style tools (Sysmon Event 1)
// Run as separate query:
// _sourceCategory="windows/sysmon" EventCode=1
// (Image="*psexec.exe" OR Image="*psexec64.exe" OR Image="*paexec.exe" OR Image="*remcom.exe" OR Image="*csexec.exe")
// | eval risk_score=80
// | fields _messagetime, _sourceHost, Image, CommandLine, ParentImage, User, risk_score
high severity high confidence

Detects Windows system service abuse via Sumo Logic by identifying new service installations (EventCode 7045/4697) with suspicious image paths including temp directories, user profile paths, UNC paths, and LOLBin executables. Risk scoring is applied to prioritize the most suspicious events. Companion query patterns are provided for Sysmon-based detection of sc.exe/net.exe manipulation from scripting engine parents and PsExec-style lateral movement tools.

Data Sources

Windows System Event LogWindows Security Event LogSysmon Operational Log

Required Tables

windows/systemwindows/securitywindows/sysmon

False Positives & Tuning

  • Enterprise software deployers (e.g., SCCM, Intune, or third-party deployment tools) that register services with binaries temporarily staged in ProgramData or temp paths before finalizing installation.
  • Penetration testing teams using PsExec or PAExec during authorized red team engagements — coordinate with security team scheduling to suppress during test windows.
  • Development and build servers where unit tests or integration tests programmatically install and remove services with binaries in build output directories under user or temp paths.
  • Legitimate LOLBin usage for service verification, e.g., certutil used by patching scripts to validate service binary integrity by hash comparison before service start.
Download portable Sigma rule (.yml)

Other platforms for T1569

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create and Execute Malicious Service via sc.exe

    Expected signal: SecurityEvent 7045 with ServiceName=AtomicTestSvc and ImagePath containing Temp directory; DeviceProcessEvents showing sc.exe with 'create' and 'binpath' in command line; parent process cmd.exe or PowerShell

  2. Test 2Remote Service Execution via PsExec Simulation

    Expected signal: SecurityEvent 7045 on target host showing UNC path in ImagePath; Sysmon EventCode 3 (network) showing SMB connection to remote host; sc.exe process creation with remote hostname argument

  3. Test 3Linux Malicious Systemd Service Creation

    Expected signal: Syslog or auditd entries showing systemctl execution; file creation event for /etc/systemd/system/atomic-test.service; bash process spawned by systemd with UID=0 executing id command

  4. Test 4Service Creation via PowerShell New-Service Cmdlet

    Expected signal: SecurityEvent 7045 with ServiceName=PSAtomicTestSvc and ImagePath in %TEMP%; PowerShell ScriptBlock log EventID 4104 showing New-Service cmdlet; DeviceProcessEvents showing powershell.exe as initiating process for service creation API calls

Last updated: 2026-04-21 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1569 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1543Create or Modify System ProcessT1059Command and Scripting InterpreterT1047Windows Management InstrumentationT1021.002SMB/Windows Admin SharesT1053.005Scheduled TaskT1078Valid AccountsT1129Shared ModulesT1204.002Malicious File

Same Tactic: Execution

Popular Detections