There are several ways to cause code to execute on a remote host. One of the most common methods is via the Windows Service Control Manager (SCM), which allows authorized users to remotely create and modify services. Several tools, such as PsExec, use this functionality.

When a client remotely communicates with the Service Control Manager, there are two observable behaviors. First, the client connects to the RPC Endpoint Mapper over 135/tcp. This handles authentication, and tells the client what port the endpoint—in this case the SCM—is listening on. Then, the client connects directly to the listening port on services.exe. If the request is to start an existing service with a known command line, the the SCM process will run the corresponding command.

This compound behavior can be detected by looking for services.exe receiving a network connection and immediately spawning a child process.

ATT&CK Detections

Technique Subtechnique(s) Tactic(s) Level of Coverage
Create or Modify System Process Windows Service Persistence Moderate
System Services Service Execution Execution Moderate

D3FEND Techniques

ID Name
D3-RTA RPC Traffic Analysis

Data Model References

Object Action Field
flow start pid
process create parent_exe
process create pid



Look for processes launched from services.exe within 1 second of services.exe receiving a network connection.

process = search Process:Create
flow = search Flow:Start
service = filter process where (parent_exe == "services.exe")
remote_start = join (flow, service ) where (
 flow.hostname == service.hostname and == and
 (flow.time < service.time < flow.time + 1 second)
output remote_start