services.exe
- File Path:
C:\Windows\system32\services.exe - Description: Services and Controller app
Hashes
| Type | Hash |
|---|---|
| MD5 | D8E577BF078C45954F4531885478D5A9 |
| SHA1 | D7A213F3CFEE2A8A191769EB33847953BE51DE54 |
| SHA256 | DFBEA9E8C316D9BC118B454B0C722CD674C30D0A256340200E2C3A7480CBA674 |
| SHA384 | 99886EE32605E792D3E438A0FF2B8264D1AA8A1CFE5F25F78A9EC773C2BB6B3B55467E3B0C81479E45512A1AF73CB3BF |
| SHA512 | D7EF417FE68D44ED5A10EECA6075010C3940D5D6568086762D7C3F7EC55793D1CCAEA7E6AC2675A3330A26B39C53C4BE04241FFD23BA80B88112DE10A01925E9 |
| SSDEEP | 12288:GhFzTossHm4AiBOBMtKTgnMC/DYOpBdMlrSZKeX0o57JdR1:GhFH723A4OiQTgMeXGr89X0o57Tb |
| IMP | D1098E3A37F227B6FF6BD36C1801EDFA |
| PESHA1 | 81FC4700EF8675304FAEBDB203560D5549C72480 |
| PE256 | 1B276A2E31E2146E9C504DF3A794F138B7C1D0017B6E08999798FE792310806A |
Signature
- Status: Signature verified.
- Serial:
33000002EC6579AD1E670890130000000002EC - Thumbprint:
F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: services.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/72
- VirusTotal Link: https://www.virustotal.com/gui/file/dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674/detection
Possible Misuse
The following table contains possible examples of services.exe being misused. While services.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | file_event_win_creation_system_file.yml | - '\services.exe' |
DRL 1.0 |
| sigma | image_load_wsman_provider_image_load.yml | - 'C:\Windows\System32\services.exe' |
DRL 1.0 |
| sigma | proc_access_win_svchost_cred_dump.yml | - '*\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_abusing_debug_privilege.yml | - '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_always_install_elevated_windows_installer.yml | ParentImage: 'C:\Windows\System32\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_apt_hafnium.yml | - '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_hack_wce.yml | ParentImage\|endswith: '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_impacket_lateralization.yml | # parent is services.exe |
DRL 1.0 |
| sigma | proc_creation_win_impacket_lateralization.yml | - '\services.exe' # smbexec |
DRL 1.0 |
| sigma | proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml | ParentImage\|endswith: '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_proc_wrong_parent.yml | - '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_execution_path_webserver.yml | - '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_powershell_parent_process.yml | - '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_service_dir.yml | - '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_svchost.yml | - '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_system_exe_anomaly.yml | - '\services.exe' |
DRL 1.0 |
| malware-ioc | misp-badiis.json | "description": "Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039).\n\n[PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals)\n\nAdversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.", |
© ESET 2014-2018 |
| atomic-red-team | T1569.002.md | <blockquote>Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and Net. |
MIT License. © 2018 Red Canary |
| signature-base | apt_bronze_butler.yar | $s1 = “Services.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_win_plugx.yar | $x1 = “%WINDIR%\SYSTEM32\SERVICES.EXE” fullword wide | CC BY-NC 4.0 |
| signature-base | spy_equation_fiveeyes.yar | $s0 = “SERVICES.EXE” fullword wide | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.