There are several ways to cause code to execute on a remote host. One of the most common methods is via the Windows Service Control Manager (SCM), which allows authorized users to remotely create and modify services. Several tools, such as PsExec, use this functionality.

When a client remotely communicates with the Service Control Manager, there are two observable behaviors. First, the client connects to the RPC Endpoint Mapper over 135/tcp. This handles authentication, and tells the client what port the endpoint—in this case the SCM—is listening on. Then, the client connects directly to the listening port on services.exe. If the request is to start an existing service with a known command line, the the SCM process will run the corresponding command.

This compound behavior can be detected by looking for services.exe receiving a network connection and immediately spawning a child process.

ATT&CK Detection

Technique Tactic Level of Coverage
New Service Execution Moderate
Modify Existing Service Execution Moderate
Service Execution Execution Moderate

Pseudocode

Look for processes launched from services.exe within 1 second of services.exe receiving a network connection.

process = search Process:Create
flow = search Flow:Start
service = filter process where (parent_exe == "services.exe")
remote_start = join (flow, service ) where (
 flow.hostname == service.hostname and
 flow.pid == service.pid and
 (flow.time < service.time < flow.time + 1 second)
)
output remote_start

Data Model References

Object Action Field
flow start pid
process create parent_exe
process create pid