title: System Services (T1569)
id: df00tech-t1569
status: experimental
description: "This detection identifies adversaries abusing Windows services, Linux systemd units, and macOS launchd daemons to execute malicious code. Attackers commonly leverage sc.exe, net start, PsExec, systemctl, and launchctl to create or start services that run attacker-controlled binaries. Indicators include services with suspicious binary paths (temp directories, user profile paths, UNC paths), service names mimicking legitimate system services, new service installations from unusual parent processes (cmd.exe, powershell.exe, wscript.exe), and service creations from non-standard accounts. This technique is frequently chained with lateral movement and persistence techniques to achieve remote code execution or maintain footholds across reboots."
references:
  - https://attack.mitre.org/techniques/T1569/
  - https://df00tech.com/detections/T1569
author: df00tech
date: 2026/04/21
tags:
  - attack.t1569
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "IT automation tools (SCCM, Ansible, Chef) creating services during software deployment"
  - Legitimate software installers that write binaries to AppData before creating services
  - Vulnerability scanners and EDR agents that enumerate or interact with the service control manager
  - "Help desk remote management tools (TeamViewer, ConnectWise) that install services temporarily"
  - Developer workstations running test services from non-standard paths during development
level: high