services.exe
- File Path:
C:\Windows\system32\services.exe - Description: Services and Controller app
Hashes
| Type | Hash |
|---|---|
| MD5 | 1B8FD5BCAF4B90950D50AAC16B0DF9A3 |
| SHA1 | FFB38669750CEC946E81F0114AABD1A2555A51E9 |
| SHA256 | F14CBE42E4C29C57ACDF781388D387A01963075F255ABF57D8486D7842257500 |
| SHA384 | 41B464052D287E33A8A994C339B60061C7DA591AACDB61AC0A60E7B300BCCA14DB743E90DF1049F5BC4038706E06C4A0 |
| SHA512 | AEDC98B67C590D05C0F103865741B2F502D70B73EB7F6CA519C227B5FCFF28AF702831AC5CE02D78725E483A063CBEC71C4FF869EA18DDF07ABB1F56E9C30AD2 |
| SSDEEP | 12288:n8mrmpMj8jAkkteIKuk91HcFsJOkK1tvX0o50RKEQA:n8m6ej3kweBuwiu4fNX0o50/ |
| IMP | CDE9FC783A23D72BBCF6C4DDCC10ED87 |
| PESHA1 | CC44E3501489CD9BA145E09D7E2662D06E5513B3 |
| PE256 | 488F11922738FA01284294BDFCC784A50B435AB702F7F96D2D813BA96B1F01A0 |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: services.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/76
- VirusTotal Link: https://www.virustotal.com/gui/file/f14cbe42e4c29c57acdf781388d387a01963075f255abf57d8486d7842257500/detection
Possible Misuse
The following table contains possible examples of services.exe being misused. While services.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | file_event_win_creation_system_file.yml | - '\services.exe' |
DRL 1.0 |
| sigma | image_load_wsman_provider_image_load.yml | - 'C:\Windows\System32\services.exe' |
DRL 1.0 |
| sigma | proc_access_win_svchost_cred_dump.yml | - '*\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_abusing_debug_privilege.yml | - '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_always_install_elevated_windows_installer.yml | ParentImage: 'C:\Windows\System32\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_apt_hafnium.yml | - '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_hack_wce.yml | ParentImage\|endswith: '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_impacket_lateralization.yml | # parent is services.exe |
DRL 1.0 |
| sigma | proc_creation_win_impacket_lateralization.yml | - '\services.exe' # smbexec |
DRL 1.0 |
| sigma | proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml | ParentImage\|endswith: '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_proc_wrong_parent.yml | - '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_execution_path_webserver.yml | - '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_powershell_parent_process.yml | - '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_service_dir.yml | - '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_svchost.yml | - '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_system_exe_anomaly.yml | - '\services.exe' |
DRL 1.0 |
| malware-ioc | misp-badiis.json | "description": "Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039).\n\n[PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals)\n\nAdversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.", |
© ESET 2014-2018 |
| atomic-red-team | T1569.002.md | <blockquote>Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and Net. |
MIT License. © 2018 Red Canary |
| signature-base | apt_bronze_butler.yar | $s1 = “Services.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_win_plugx.yar | $x1 = “%WINDIR%\SYSTEM32\SERVICES.EXE” fullword wide | CC BY-NC 4.0 |
| signature-base | spy_equation_fiveeyes.yar | $s0 = “SERVICES.EXE” fullword wide | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.