title: Service Execution (T1569.002)
id: df00tech-t1569-002
status: experimental
description: "Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services. Adversaries can create new services or modify existing ones to execute malicious binaries, scripts, or commands. Tools such as sc.exe, PsExec, and Net can be used locally or against remote targets. PsExec creates a temporary service (PSEXESVC) that executes the specified payload as SYSTEM. This technique is commonly used by ransomware families (NotPetya, Bad Rabbit, Ragnar Locker), APT groups (Chimera, APT39), and C2 frameworks (Cobalt Strike, Brute Ratel C4) for lateral movement, privilege escalation, and persistence."
references:
  - https://attack.mitre.org/techniques/T1569/002/
  - https://df00tech.com/detections/T1569.002
author: df00tech
date: 2026/03/13
tags:
  - attack.t1569.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate software installers (antivirus, monitoring agents, backup solutions) that register Windows services during installation"
  - "IT administrative tools (PsExec used by sysadmins for remote management, SCCM/Intune deploying service-based software)"
  - Security software and EDR agents that create services for kernel drivers or protection modules
  - "Legitimate automation frameworks (Ansible, Chef, Puppet) that deploy services as part of configuration management"
  - Application deployment pipelines in CI/CD environments creating temporary services for testing
level: high