DET0421 Detection Strategy for System Services Service Execution

Item	Value
ID	DET0421
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1569.002 (Service Execution)

Analytics

Windows

AN1185

Detection focuses on abnormal service executions initiated via service control manager APIs, sc.exe, net.exe, or PsExec creating temporary services. Defenders observe process creation of services.exe spawning non-standard binaries, registry changes in service keys followed by rapid execution, and network connections originating from processes tied to transient services. Correlation across process lineage, registry activity, and service logs provides strong signals of malicious service execution.

Log Sources

Data Component	Name	Channel
Service Creation (DC0060)	WinEventLog:Security	EventCode=4697
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Windows Registry Key Modification (DC0063)	WinEventLog:Sysmon	EventCode=13, 14
Network Connection Creation (DC0082)	WinEventLog:Sysmon	EventCode=3, 22

Mutable Elements

Field	Description
ServiceBinaryAllowlist	Known binaries/services expected to be invoked via services.exe
ParentProcessCorrelationWindow	Time window for correlating service creation with execution events
RemoteExecutionHosts	Approved remote hosts that may trigger service execution (e.g., via PsExec)