T1569: System Services

T1569 falls under the Execution tactic (TA0002). The technique covers any abuse of system services or daemons to execute commands or programs. Services run at boot and operate with elevated privileges (typically SYSTEM on Windows, root on Linux/macOS), making them an attractive execution mechanism. T1569 is the execution component — it is used in conjunction with T1543 (Create or Modify System Process) for persistence, and frequently combined with lateral movement techniques (T1021 Remote Services) when services are created on remote systems via PsExec, Impacket, or WMI.

Sub-Techniques

T1569.001: Launchctl (macOS)

On macOS, launchctl is the interface for interacting with launchd, the service management framework. Adversaries can use launchctl load to load a property list (plist) that defines a daemon or agent, executing arbitrary code when the service starts. The launchctl submit command can execute programs without a plist file. This sub-technique is used by macOS-targeting malware for persistence (launch daemons run as root) and execution. LoudMiner, a cryptominer targeting macOS, used launchctl for persistent execution. WindTail (WindShift APT) targeting Middle Eastern entities also leveraged launchctl for execution.

T1569.002: Service Execution (Windows)

This is by far the most operationally significant sub-technique. Adversaries interact with the Windows Service Control Manager (SCM) to create and start services that execute malicious code. The primary methods are:

PsExec — the Sysinternals tool that remains the dominant service execution mechanism in attacks. PsExec copies a service executable (PSEXESVC.exe) to the target's ADMIN$ share via SMB, creates a temporary service named PSEXESVC via the SCM, starts the service (which runs the specified command as SYSTEM), and communicates results through named pipes (\\.\pipe\PSEXESVC-stdin, \\.\pipe\PSEXESVC-stdout, \\.\pipe\PSEXESVC-stderr). This entire process requires administrative credentials and SMB access (TCP 445). The 2025 CyberProof report identifies PsExec as one of the top five tools used in attacks, with Medusa, LockBit, Kasseika, BlackSuit, and Fog ransomware all documented using it.

Impacket (psexec.py / smbexec.py / wmiexec.py) — the open-source Python toolkit that provides PsExec-like functionality without requiring the Sysinternals binary. Impacket's psexec.py creates a service on the remote system that executes a command and returns output. smbexec.py is a stealthier variant that creates a service executing commands through cmd.exe and redirects output to a file on the ADMIN$ share. Output is written to \\127.0.0.1\ADMIN$\__[timestamp]. Impacket has been adopted by a wide range of threat actors — Microsoft documented its use in post-ransomware investigations, and it is a standard tool in the Cobalt Strike and Metasploit ecosystems.

sc.exe — the native Windows service control command. Adversaries use sc \\target create ServiceName binPath= "malicious.exe" followed by sc \\target start ServiceName to create and start remote services. Unlike PsExec, sc.exe is a built-in Windows utility that leaves no additional binaries on the target system (living-off-the-land). NotPetya and HermeticWiper both used sc.exe for remote service execution during destructive operations against Ukrainian targets.

Winexe / Smbexec — Linux-native tools for remote Windows service execution. Winexe is an open-source equivalent of PsExec for Linux. These tools are used when adversaries operate from Linux-based attack infrastructure to execute commands on Windows targets through service creation.

T1569.003: Systemctl (Linux)

Added to MITRE ATT&CK in October 2025 (v18), this sub-technique covers adversaries using systemctl to interact with the systemd service manager on Linux. Adversaries can create new systemd service unit files in /etc/systemd/system/ or /usr/lib/systemd/system/ that execute malicious payloads, then use systemctl enable and systemctl start to activate them. This provides both execution and persistence with root-level privileges. Velvet Ant, a China-nexus threat group documented by Sygnia in June 2024, abused systemd services for persistent access to F5 BIG-IP load balancers. Linux ransomware targeting ESXi hypervisors increasingly uses systemd for execution and persistence.

How Service Execution Works

The PsExec Execution Chain

Understanding the PsExec execution chain is critical for detection because each step produces distinct artifacts. Step 1: Authentication. PsExec authenticates to the target system over SMB (TCP 445) using the provided credentials, generating a Logon Type 3 (Network) event (Security EID 4624). Step 2: Service binary copy. PsExec copies PSEXESVC.exe to the target's \\target\ADMIN$ share (the Windows directory). This creates a file creation event detectable by Sysmon EID 11 or EDR file monitoring. Step 3: Service creation. PsExec uses the SCM to create a service named PSEXESVC, generating Security EID 7045 (new service installed) and System EID 7036 (service state change). Step 4: Named pipe creation. PSEXESVC creates named pipes for stdin/stdout/stderr communication, detectable by Sysmon EIDs 17/18. Step 5: Command execution. The specified command executes as a child process of PSEXESVC.exe under the SYSTEM account. Step 6: Cleanup. After execution, PsExec stops and deletes the service and removes PSEXESVC.exe from ADMIN$.

Remote Service Creation with sc.exe

The native sc.exe approach is simpler but generates similar artifacts: sc \\target create svcname binPath= "cmd /c malware.exe" start= auto creates a service on the remote system. sc \\target start svcname starts it. The advantage for adversaries is that sc.exe is a built-in utility — no additional tool needs to be deployed. The disadvantage is that the malicious binary must already be on the target system (it is not automatically copied like with PsExec). This is why sc.exe is typically combined with prior file copy operations (via SMB, WMI, or other means).

Impacket Remote Execution

Impacket's psexec.py follows a similar pattern to PsExec but with important differences for detection. The service name is typically randomized (not PSEXESVC). The service binary is a unique randomly named executable (not PSEXESVC.exe). Output is redirected through files on the ADMIN$ share with double-underscore timestamp naming (__[epoch_timestamp]). Impacket's smbexec.py creates a service that runs cmd.exe /Q /c [command] > \\127.0.0.1\ADMIN$\__[timestamp] 2>&1, making it detectable through the cmd.exe /Q /c pattern and the output redirect to localhost ADMIN$.

Why System Services Execution Matters

SYSTEM-Level Execution

Services created through the SCM typically run as NT AUTHORITY\SYSTEM — the highest privilege level on Windows. This means any command executed through PsExec, Impacket, or sc.exe inherits SYSTEM privileges, enabling the adversary to access any file, terminate any process (including security tools), modify the registry, and interact with kernel-level components. This is why service execution is the preferred method for deploying ransomware: the encryption process needs SYSTEM access to encrypt files owned by all users and to disable recovery mechanisms like Volume Shadow Copies.

Remote Execution at Scale

PsExec accepts target lists and can execute commands on multiple remote systems from a single command line. Ransomware operators create scripts that iterate through lists of discovered hosts, running PsExec against each one to deploy the encryption payload. This enables a single operator on a compromised domain controller to encrypt hundreds or thousands of systems within minutes. The DFIR Report has documented multiple ransomware intrusions where the time from PsExec deployment to full encryption was under 30 minutes.

Living-off-the-Land Legitimacy

PsExec is a legitimate Sysinternals tool used by system administrators for remote management. sc.exe is a built-in Windows utility. Both generate activity that looks identical to legitimate administrative operations. An alert for "new service created on server" will fire constantly in environments where administrators use PsExec for patch deployment or software installation. This false-positive challenge means detection must focus on contextual indicators: which user created the service, from what source system, at what time, what was the service binary, and what did the child process do after execution.

Real-World Case Studies

Case 1: LockBit — PsExec and Impacket for Mass Ransomware Deployment (2023–2025)

The CISA/FBI/MS-ISAC advisory on LockBit (June 2023, UNDERSTANDING RANSOMWARE THREAT ACTORS: LOCKBIT) documented LockBit affiliates using PsExec and Cobalt Strike for lateral movement and service-based execution for ransomware deployment. LockBit's affiliate model means that dozens of different operators use T1569.002 with varying tradecraft — from native PsExec to Impacket's psexec.py to custom deployment scripts. Despite the February 2024 Operation Cronos disruption, LockBit affiliates continued operations through alternative infrastructure, and the PsExec/service execution deployment model remained standard. Intel 471's August 2025 PsExec threat hunting guide specifically used LockBit as a case study for PsExec artifact detection.

Case 2: BlackCat/ALPHV — Embedded PsExec for Self-Propagation (2022–2024)

BlackCat ransomware took service execution one step further by embedding the PsExec binary directly within its ransomware payload. When executed, BlackCat dropped PsExec to the victim's %TEMP% directory and used it to propagate the ransomware to other systems on the network — creating services that executed the ransomware binary on each target. Atomic Red Team documented this behavior pattern, noting that PsExec being executed from suspicious locations (like %TEMP%) with pipe creation for command execution is a high-fidelity detection opportunity. BlackCat's Rust codebase also directly called Windows API functions for service creation as an alternative to PsExec when the binary was not available.

Case 3: HermeticWiper — sc.exe for Destructive Service Deployment (February 2022)

HermeticWiper and its companion worm HermeticWizard, deployed against Ukrainian organizations on the eve of the Russian invasion, used sc.exe for remote service creation to spread across victim networks. After HermeticWizard identified accessible systems through WMI and SMB scanning, it copied the wiper payload to remote systems and used sc.exe to create and start services that executed the destructive payload. WhisperGate, another destructive wiper targeting Ukraine in January 2022, used similar service execution techniques. These cases demonstrate T1569 being used for destructive operations rather than traditional ransomware monetization.

Case 4: Kasseika Ransomware — PsExec + BYOVD Service Chain (January 2024)

Kasseika ransomware, documented by Trend Micro in January 2024, demonstrated a sophisticated multi-stage service execution chain. After initial access through phishing and credential theft, operators used PsExec to remotely deploy a batch script that orchestrated the entire attack sequence. The batch script created a Windows service to load the Martini.sys driver (a vulnerable VirIT Agent System driver) for BYOVD-based EDR killing, then executed the ransomware payload — all through service creation and execution. The entire attack chain, from PsExec deployment of the batch file to driver loading to EDR termination to encryption, operated through the Windows service infrastructure.

Case 5: Medusa Ransomware — Impacket, PsExec, and PDQ Deploy (2025)

Symantec's March 2025 report on increasing Medusa activity documented affiliates combining Impacket, PsExec, and PDQ Deploy (a legitimate software deployment tool) for lateral movement and payload deployment. The multi-tool approach demonstrates operational flexibility: Impacket for initial remote execution from Linux-based attack infrastructure, PsExec for Windows-to-Windows service execution, and PDQ Deploy for mass software distribution that leverages legitimate deployment mechanisms. Microsoft's July 2025 analysis of RMM-based intrusions documented similar patterns where Medusa operators used Impacket to execute PowerShell from C:\Perflogs\ and PsExec to spread ransomware payloads across victim networks.

Detection Strategies

Data Source	Detection Focus	Key Indicators
Windows Security (EID 7045)	New service installation	Service name PSEXESVC or randomized names; service binary in ADMIN$, %TEMP%, or non-standard paths; services with cmd.exe /c in the binary path
Process Creation (Sysmon EID 1)	Service process child spawning	Processes spawned by PSEXESVC.exe, services.exe child processes that are cmd.exe/powershell.exe, sc.exe with remote target (\\hostname) and create/start arguments
Named Pipe (Sysmon EID 17/18)	PsExec communication pipes	Pipes named PSEXESVC-stdin/stdout/stderr, Impacket randomized pipe names, pipe creation by non-standard processes
File Creation (Sysmon EID 11)	Service binary deployment	PSEXESVC.exe or unknown executables created in C:\Windows\ (ADMIN$ share), executable files created followed by service creation events
Network Connection (Sysmon EID 3)	SMB lateral movement	Connections to TCP 445 from non-admin workstations, RPC connections to TCP 135 for remote service management, anomalous SMB connection patterns
Command Execution	Impacket artifacts	cmd.exe /Q /c commands with output redirect to \\127.0.0.1\ADMIN$\__[timestamp], service binaries with random 8-character names in C:\Windows\
Linux Audit (auditd)	Systemd service manipulation	New unit files created in /etc/systemd/system/, systemctl enable/start for unknown services, service files with ExecStart pointing to unusual binaries

Splunk / SIEM Detection Queries

Detect new Windows service creation with suspicious binary paths:

index=wineventlog EventCode=7045
| eval suspicious=case(
    match(Service_File_Name, "(?i)(cmd\.exe|powershell|psexec|\\\\127\.0\.0\.1|%temp%|\\\\admin\$)"), "HIGH",
    match(Service_File_Name, "(?i)(C:\\\\Windows\\\\[a-z0-9]{8}\.exe)"), "MEDIUM",
    match(Service_Name, "(?i)(PSEXESVC|[A-Za-z]{8})") AND NOT match(Service_Name, "(?i)(Windows|Microsoft|Defender|Update)"), "MEDIUM",
    1=1, "LOW")
| where suspicious IN ("HIGH", "MEDIUM")
| stats count by Computer, Service_Name, Service_File_Name, Service_Type, suspicious
| sort -suspicious -count

Detect PsExec execution artifacts (PSEXESVC process tree):

index=sysmon EventCode=1
(ParentImage="*\\PSEXESVC.exe"
 OR (Image="*\\PSEXESVC.exe")
 OR (Image="*\\PsExec*" AND CommandLine IN ("*\\\\*-s*", "*\\\\*-d*", "*\\\\*cmd*")))
| stats count values(CommandLine) as commands values(Image) as child_processes
  by Computer, User, ParentImage
| sort -count

Detect Impacket smbexec/psexec artifacts:

index=sysmon EventCode=1
((Image="*\\cmd.exe" AND CommandLine="*/Q /c*"
  AND CommandLine="*\\\\127.0.0.1\\ADMIN$\\__*2>&1*")
 OR (ParentImage="*\\services.exe"
     AND Image="*\\cmd.exe"
     AND CommandLine="*/Q /c*echo*"))
| stats count by Computer, User, Image, CommandLine, ParentImage
| sort -count

Detect remote service creation via sc.exe:

index=sysmon EventCode=1
Image="*\\sc.exe"
CommandLine="*\\\\*" CommandLine="*create*"
| rex field=CommandLine "\\\\\\\\(?<target_host>[^\s\\]+)"
| stats count values(CommandLine) as commands by Computer, User, target_host
| sort -count

Threat Actors and Tools

Ransomware and Cybercrime

Group	Service Execution Methods	Notable Context
LockBit	PsExec, Impacket, Cobalt Strike	CISA advisory; top ransomware until Operation Cronos (Feb 2024)
BlackCat / ALPHV	Embedded PsExec in ransomware binary; direct SCM API	Self-propagating via PsExec from %TEMP%; Rust codebase
Medusa	PsExec, Impacket, PDQ Deploy	300+ victims; multi-tool lateral movement (Symantec, March 2025)
Kasseika	PsExec for batch script deployment + BYOVD chain	PsExec to driver loading to EDR kill to encryption
BlackSuit	PsExec, PowerShell, Cobalt Strike, Mimikatz	Vishing + VPN credential theft for initial access
Fog	PsExec, PowerShell, WMI	Appeared early 2024; VPN vulnerability exploitation
Ryuk / Conti	PsExec for mass deployment from domain controllers	Pioneered PsExec-based ransomware distribution at scale
WastedLocker (Evil Corp)	PsExec, sc.exe for service creation	Service-based payload execution
INC Ransom	PsExec, service execution	Airline targeting; Huntress documentation (Aug 2023)
NetWalker	PsExec for lateral deployment	Healthcare and education targeting

State-Sponsored Groups

Actor	Service Execution Methods	Notable Context
Volt Typhoon (PRC)	PsExec, native service tools	LOTL approach in U.S. critical infrastructure
APT41 (PRC)	Service execution for malware deployment	U.S. state government targeting (Mandiant, 2022)
Sandworm (Russia/GRU)	sc.exe, service-based wiper deployment	HermeticWiper/HermeticWizard; NotPetya; Ukrainian targets
Emissary Panda / APT27 (PRC)	Service execution on SharePoint servers	Middle East government targeting
Turla (Russia/FSB)	PsExec, custom service execution	Long-running espionage campaigns
Velvet Ant (PRC)	systemctl on F5 BIG-IP (T1569.003)	Load balancer persistence (Sygnia, June 2024)
Ke3chang / APT15 (PRC)	Service-based execution via RoyalCli	Government and diplomatic targeting

Execution Tools

Tool	Mechanism	Key Artifacts
PsExec (Sysinternals)	PSEXESVC.exe service via ADMIN$ + SCM	PSEXESVC service name, PSEXESVC.exe in C:\Windows\, named pipes
Impacket psexec.py	Randomized service + binary via SCM	Random service name, random .exe in C:\Windows\, \\127.0.0.1\ADMIN$\__[ts] output
Impacket smbexec.py	cmd.exe /Q /c via service creation	cmd.exe /Q /c pattern, output redirect to ADMIN$
sc.exe (native)	Direct SCM service creation	sc.exe with \\target and create/start args; no binary deployment
Cobalt Strike	PsExec module, service execution	Beacon service creation with random names; SMB beacon pipes
Metasploit PsExec	Service creation with Meterpreter payload	Random service name; staged/stageless payload execution
Winexe	Linux PsExec equivalent via SMB	Similar to PsExec artifacts; winexesvc.exe service binary

Defensive Recommendations

• Monitor Event ID 7045 for new service installations. EID 7045 logs every new service installed on a Windows system. Create detection rules that alert on services with suspicious binary paths (cmd.exe, powershell.exe, executables in %TEMP% or C:\Windows\ with random names), services with the name PSEXESVC or random 8-character names, and any service creation that occurs outside of change management windows. Correlate EID 7045 with the source of the SCM connection (network logon) to identify remote service creation.
• Detect PsExec artifacts across the kill chain. Monitor for the complete PsExec execution chain: PSEXESVC.exe file creation in C:\Windows\ (Sysmon EID 11), service creation event (EID 7045), named pipe creation matching PSEXESVC patterns (Sysmon EID 17/18), and child process spawning from PSEXESVC.exe (Sysmon EID 1). Detecting any single artifact provides valuable signal; detecting the full chain provides high-confidence attribution.
• Detect Impacket execution patterns. Impacket's smbexec.py generates a distinctive pattern: cmd.exe /Q /c with output redirected to \\127.0.0.1\ADMIN$\__[timestamp]. Impacket's psexec.py creates services with randomly named executables in C:\Windows\. Monitor for these specific patterns in process creation and service installation logs.
• Restrict administrative share access. PsExec and Impacket require access to the ADMIN$ share (C:\Windows) to deploy service binaries. Restrict ADMIN$ and C$ share access to only authorized administrative accounts and systems. Consider disabling default administrative shares on workstations where they are not needed for legitimate management. Monitor SMB connections to ADMIN$ shares from non-administrative systems.
• Implement Attack Surface Reduction (ASR) rules. Microsoft's ASR rules include protections specifically relevant to T1569: "Block process creations originating from PSExec and WMI commands" directly addresses PsExec-based service execution. Enable this ASR rule in audit mode first to identify legitimate PsExec usage, then move to block mode where operationally feasible.
• Audit and restrict service creation privileges. By default, administrators can create services both locally and remotely. Restrict which accounts can create services using Group Policy ("Create a service" privilege) and monitor for service creation by non-standard accounts. Consider using Privileged Access Workstations (PAWs) for administrative operations, limiting the systems from which remote service creation is permitted.
• Deploy network segmentation to limit SMB lateral movement. PsExec and Impacket rely on SMB (TCP 445) and RPC (TCP 135) for remote service execution. Implement network segmentation that restricts workstation-to-workstation SMB traffic and limits server-to-server SMB to authorized management paths. This single control dramatically reduces the attack surface for service-based lateral movement.
• Monitor for anomalous SMB connection patterns. Establish baselines for normal SMB connection patterns in your environment. Alert on workstations initiating SMB connections to many servers in rapid succession (indicating PsExec-based mass deployment), SMB connections from unexpected source systems to server segments, and SMB connections occurring during off-hours from systems not associated with scheduled administrative tasks.

MITRE ATT&CK Mapping

Field	Value
Technique ID	T1569
Technique Name	System Services
Tactic	Execution (TA0002)
Sub-techniques	T1569.001 (Launchctl), T1569.002 (Service Execution), T1569.003 (Systemctl)
Platforms	Windows, Linux, macOS
Data Sources	Process: Process Creation, Service: Service Creation, Command: Command Execution, File: File Modification, Windows Registry: Windows Registry Key Modification, Network Traffic: Network Connection Creation
Mitigations	M1040 (Behavior Prevention on Endpoint / ASR rules), M1026 (Privileged Account Management), M1022 (Restrict File and Directory Permissions)
Related Techniques	T1543 (Create or Modify System Process), T1021 (Remote Services), T1047 (Windows Management Instrumentation), T1059 (Command and Scripting Interpreter)
MITRE ATT&CK Reference	attack.mitre.org/techniques/T1569

Sources and References

• MITRE ATT&CK — T1569 System Services (updated October 2025): attack.mitre.org
• CISA — Understanding Ransomware Threat Actors: LockBit (June 2023): cisa.gov
• Intel 471 — Threat Hunting Case Study: PsExec (August 2025): intel471.com
• Microsoft Security Blog — Defenders Beware: A Case for Post-Ransomware Investigations (October 2022): microsoft.com
• Trend Micro — Kasseika Ransomware Deploys BYOVD Attacks, Abuses PsExec (January 2024): trendmicro.com
• Symantec / Carbon Black — Medusa Ransomware Activity Continues to Increase (March 2025): symantec-enterprise-blogs.security.com
• Cyber Security News — How PsExec.exe Can Be Abused to Execute Malicious Code (October 2025): cybersecuritynews.com
• Logpoint — Hunting for PsExec Artifacts in Your Enterprise (September 2025): logpoint.com
• Atomic Red Team — T1569.002 Service Execution Tests: github.com/redcanaryco
• Sygnia — China-Nexus Threat Group Velvet Ant Abuses F5 Load Balancers for Persistence (June 2024): sygnia.co