Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0279: Detection Strategy for System Services across OS platforms.

DET0279 is a MITRE detection strategy mapped to ATT&CK technique T1569, System Services. Its business significance is that service or daemon abuse can turn...

EnterpriseDET0279Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0279 is a MITRE detection strategy mapped to ATT&CK technique T1569, System Services. Its business significance is that service or daemon abuse can turn normal operating system administration paths into command execution, including local or remote execution, and may overlap with persistence when services run at boot. For leaders, the key issue is not the ATT&CK object itself, but whether the organization can prove it sees unusual service creation, modification, or execution activity across Windows, macOS, and Linux environments where T1569 applies.

Executive priority

Prioritize this as an operational resilience and incident-readiness question: can security teams distinguish legitimate service administration from adversary-driven service execution quickly enough to support containment decisions? This matters for SOC coverage, IR scoping, privileged access governance, and audit evidence around endpoint monitoring. Because the supplied detection strategy has no official detection text, leaders should ask for evidence of telemetry collection, alert logic, triage procedures, and known blind spots rather than assuming coverage exists.

Technical view

The supplied object is a detection strategy for System Services and has a detects relationship to T1569, which is an execution technique across Windows, macOS, and Linux. SOC and detection teams should validate visibility into service or daemon creation, modification, start/stop activity, related process execution, remote administrative interaction with services, and boot-linked service behavior where relevant. Detection should focus on unusual service execution context, abnormal parent-child process relationships, unexpected binaries or command lines launched through service mechanisms, and activity inconsistent with authorized administration.

Likely telemetry

  • Endpoint process creation and command-line telemetry
  • Service or daemon creation, modification, start, stop, and deletion events
  • Operating system service manager or init/system daemon logs
  • Remote administration and authentication/session logs tied to service control activity
  • File path, binary metadata, and configuration changes associated with services or daemons

Detection direction

  • Confirm that telemetry exists across the platforms covered by the related T1569 technique: Windows, macOS, and Linux.
  • Baseline legitimate service administration activity to reduce false positives from IT operations, software deployment, patching, and system management tools.
  • Correlate service changes with process execution, user or service account context, remote logon/session evidence, and file changes rather than alerting on isolated service events only.
  • Tune for unusual service names, paths, command lines, execution users, remote sources, or timing relative to normal administration windows.
  • Document blind spots where endpoint logging, service configuration auditing, remote administration logs, or command-line capture are missing.

Mitigation priorities

  • Establish least-privilege controls around accounts permitted to create, modify, or control services and daemons.
  • Maintain approved baselines for expected services, daemon configurations, startup behavior, and administrative tooling.
  • Harden endpoint monitoring so service activity can be reconstructed during incident response.
  • Use change control and administrative logging to separate authorized service management from suspicious execution.
  • Review overlaps with persistence controls because the related T1569 description notes that services running at boot can aid persistence via Create or Modify System Process.
Analyst notes and limits

This take is based on the supplied ATT&CK detection strategy metadata and its relationship to T1569 System Services. The object itself does not include an official description, official detection text, platforms, or tactics, so practical guidance is derived from the related technique context: execution through system services or daemons, locally or remotely, across Windows, macOS, and Linux.

Coverage cannot be inferred from this ATT&CK object alone. Local validation is required to determine whether the organization collects the necessary endpoint, service, process, authentication, and configuration telemetry and whether detections are tuned for its administrative patterns.

Official MITRE ATT&CK definition

Detection Strategy for System Services across OS platforms.

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1569 System Services This object detects System Services.
Relationship explorer

All related ATT&CK context

detects · Technique T1569: System Services Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
7bce4dbcfd74a438...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 7bce4dbcfd74…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0279
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use