title: Service Execution
status: experimental 
description: Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation.
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml
logsource:
    category: process_creation
    product: windows
detection:
    selection_1:
        Image: '*\sc.exe'
    selection_2:
        Image: 
            - '*\net.exe'
            - '*\net1.exe'
    selection_3:
        CommandLine|contains|all:
            - 'create'
            - 'binpath'
    selection_4:
        CommandLine|contains: 'start'
    condition:  selection_1 and ( selection_3 or selection_4 ) or
               ( selection_2 and selection_4 )
fields:
    - Image
    - CommandLine
    - User
    - LogonGuid
    - Hashes
    - ParentProcessGuid
    - ParentImage
    - ParentCommandLine
falsepositives:
    - Legitimate administrator or user creates and/or (only) executes a service for legitimate reason
level: low
tags:
    - attack.execution
    - attack.t1035