System Services (T1569) is a MITRE ATT&CK technique in the Execution tactic. SOC analysts detect it by monitoring for XDR, SIEM events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence, but adversaries can also abuse services simply as a means for one-time or temporary code execution. On Windows, sc.exe and the Service Control Manager API allow creation and manipulation of services. On Linux and macOS, systemctl, launchd, and init scripts serve similar purposes. Attackers frequently create services with names and descriptions that mimic legitimate Windows components to avoid detection. The use of services for execution provides several advantages including automatic restart on failure, execution with SYSTEM or root privileges, and the ability to execute without an interactive user session. PSExec and similar remote execution tools operate by creating temporary services on target systems, making service creation monitoring a reliable detection vector for some forms of lateral movement.
“System Services is documented as technique T1569 in the MITRE ATT&CK knowledge base under the Execution tactic. Detection requires visibility into XDR, SIEM telemetry.”
The following detection strategies help SOC analysts identify System Services activity. These methods apply across XDR, SIEM environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
Monitor Windows Event ID 7045 for new service installation and correlate with the executable path and digital signature status of the service binary, alerting on services pointing to unsigned executables in non-standard locations.
Alert on service creation using sc.exe or the Windows Service Control Manager API from processes other than legitimate installer applications, particularly when combined with encoded command line arguments or temporary file paths.
Detect malicious service names that mimic legitimate Windows services through exact name matching and fuzzy matching against the known good service catalog, as attackers frequently use slight variations of real service names.
Monitor for service binary path modifications, as attackers may hijack existing service configurations to execute malicious payloads while retaining the appearance of a legitimate service name and description.
Track short-lived service creation patterns, as some attack tools create services purely for one-time remote code execution and immediately delete them, leaving only brief windows for detection in event logs.
These realistic alert examples show what System Services looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
Windows Event 7045 recorded: new service "Windows Network Helper" created with binary path pointing to C:\ProgramData\Temp\net_helper.exe. The executable is unsigned, was created 4 minutes ago by a PowerShell process, and its name closely mimics the legitimate Windows service "Windows Network List Service." The service runs as LocalSystem and is configured for automatic startup.
Registry modification detected changing the ImagePath of an existing Windows service from its legitimate executable to a malicious binary in the user profile directory. The targeted service runs as SYSTEM and has automatic startup configured. This service hijacking technique allows persistent SYSTEM-level execution while masquerading as a known legitimate service in the services list, evading casual inspection.
PSEXESVC service creation detected on database server DB-PROD-05 originating from a compromised finance workstation. The PSExec service copied an executable to the ADMIN$ share and executed it as SYSTEM. While PSExec is a legitimate remote administration tool, its use from a finance workstation to execute files on production database servers is unauthorized and indicates attacker-controlled lateral movement activity.
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including System Services. Build detection skills with zero consequences — free forever.
An Indicator of Compromise (IOC) is an observable artifact, such as a file hash, IP address, domain name, URL, registry …
Read more GlossaryEndpoint Detection and Response (EDR) is a security technology that continuously monitors endpoint activity, recording p…
Read more GlossaryAlert triage is the structured process of reviewing, prioritizing, and investigating security alerts to determine their …
Read more GlossaryTactics, Techniques, and Procedures (TTPs) describe the behavioral patterns, methods, and operational processes threat a…
Read more Career PathTier 2 SOC Analysts handle the investigations that Tier 1 escalates. You dig into multi-stage attacks, coordinate contai…
Read more Career PathIncident Responders lead the technical response when confirmed breaches happen. You coordinate containment, run forensic…
Read more ToolThe XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…
Read more ToolThe SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ComparisonSOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more GlossaryComplete glossary of Security Operations Center terminology for aspiring SOC analysts.
Read more FeaturePractice alert triage under realistic time pressure with SLA timers and noise injection.
Read moreWe use cookies to improve your experience and measure usage. Learn more