services.exe
- File Path:
C:\Windows\system32\services.exe - Description: Services and Controller app
Hashes
| Type | Hash |
|---|---|
| MD5 | D02627D25AC3351BB87760B9D1C7F1F4 |
| SHA1 | 495FC614E9F29AA70C4E1FEAA72FB8861209C851 |
| SHA256 | ED68F485137406C9D41D34FA2CD8B1B45516EA8CDCD4EECA5FD6BC2C6EDD22D6 |
| SHA384 | D915C4032B003248E2B35FB088F2ACF86894D5396BF2909B4796D1E3E29B3BB4324CAC34B8B2A1CCAC4734AE1AAD0F8A |
| SHA512 | B7BDF2E5273A58D45D705F24D32FE8FA67A96E5EBD98F3694EF575AC1D3EC30F793CA602A771C9FD4539F6BF7949110E38660010DB4B07EC84286150BE4C0618 |
| SSDEEP | 12288:YMXbUrud82LFb9s8BDZbkWT/dphgzMoq/X/o01b+:YZhcFbq8Nj7rh7j/X/o016 |
| IMP | F319DDCC47480BF17CC1360764B490E2 |
| PESHA1 | 61679ED862E8C737AFDF35D825B305865DCB5A67 |
| PE256 | 6780E7B4AC15201657C6D588623F87691207920A6FA3210B071030445D147200 |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: services.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/66
- VirusTotal Link: https://www.virustotal.com/gui/file/ed68f485137406c9d41d34fa2cd8b1b45516ea8cdcd4eeca5fd6bc2c6edd22d6/detection/
Possible Misuse
The following table contains possible examples of services.exe being misused. While services.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | file_event_win_creation_system_file.yml | - '\services.exe' |
DRL 1.0 |
| sigma | image_load_wsman_provider_image_load.yml | - 'C:\Windows\System32\services.exe' |
DRL 1.0 |
| sigma | proc_access_win_svchost_cred_dump.yml | - '*\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_abusing_debug_privilege.yml | - '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_always_install_elevated_windows_installer.yml | ParentImage: 'C:\Windows\System32\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_apt_hafnium.yml | - '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_hack_wce.yml | ParentImage\|endswith: '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_impacket_lateralization.yml | # parent is services.exe |
DRL 1.0 |
| sigma | proc_creation_win_impacket_lateralization.yml | - '\services.exe' # smbexec |
DRL 1.0 |
| sigma | proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml | ParentImage\|endswith: '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_proc_wrong_parent.yml | - '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_execution_path_webserver.yml | - '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_powershell_parent_process.yml | - '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_service_dir.yml | - '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_svchost.yml | - '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_system_exe_anomaly.yml | - '\services.exe' |
DRL 1.0 |
| malware-ioc | misp-badiis.json | "description": "Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039).\n\n[PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals)\n\nAdversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.", |
© ESET 2014-2018 |
| atomic-red-team | T1569.002.md | <blockquote>Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and Net. |
MIT License. © 2018 Red Canary |
| signature-base | apt_bronze_butler.yar | $s1 = “Services.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_win_plugx.yar | $x1 = “%WINDIR%\SYSTEM32\SERVICES.EXE” fullword wide | CC BY-NC 4.0 |
| signature-base | spy_equation_fiveeyes.yar | $s0 = “SERVICES.EXE” fullword wide | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.