services.exe
- File Path:
C:\Windows\system32\services.exe - Description: Services and Controller app
Hashes
| Type | Hash |
|---|---|
| MD5 | DB896369FB58241ADF28515E3765C514 |
| SHA1 | 617A0A0BAAB180541DB739C4A6851D784943C317 |
| SHA256 | A2E369DF26C88015FE1F97C7542D6023B5B1E4830C25F94819507EE5BCB1DFCC |
| SHA384 | E725F9E26419C4708AFEA2350A3D3EDF0B968DAF1FDAE6F12822BD08F6305E74779A3B06688392BF31CB6A1182A69D7D |
| SHA512 | C47F469E3ED2D358C51E8B804A6E1DB37C6B33543919BEE938279902D01D44F171E132C29D2A36EC3B4369E1441F597993E727CE2F2D087A4AB384ACE345C959 |
| SSDEEP | 12288:EBcEZkiKFRQVcO09OEIXXfHx0q6BgQP/pA9cY2l1JlmruvjXT2C57p3XewSH9uLi:OcAkiKFscODvnfH+OQXyaY2lPT6gFXen |
| IMP | 7D2820FC8CAF521DC2058168B480D204 |
| PESHA1 | 65C5931468115B27320CE4297D64CAA8AC8F706B |
| PE256 | A03CD7126C83845A879E153B45DE6553E2160BE1E57D4BF32B416608FC99104F |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: services.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.17763.1 (WinBuild.160101.0800)
- Product Version: 10.0.17763.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/70
- VirusTotal Link: https://www.virustotal.com/gui/file/a2e369df26c88015fe1f97c7542d6023b5b1e4830c25f94819507ee5bcb1dfcc/detection/
Possible Misuse
The following table contains possible examples of services.exe being misused. While services.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | file_event_win_creation_system_file.yml | - '\services.exe' |
DRL 1.0 |
| sigma | image_load_wsman_provider_image_load.yml | - 'C:\Windows\System32\services.exe' |
DRL 1.0 |
| sigma | proc_access_win_svchost_cred_dump.yml | - '*\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_abusing_debug_privilege.yml | - '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_always_install_elevated_windows_installer.yml | ParentImage: 'C:\Windows\System32\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_apt_hafnium.yml | - '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_hack_wce.yml | ParentImage\|endswith: '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_impacket_lateralization.yml | # parent is services.exe |
DRL 1.0 |
| sigma | proc_creation_win_impacket_lateralization.yml | - '\services.exe' # smbexec |
DRL 1.0 |
| sigma | proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml | ParentImage\|endswith: '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_proc_wrong_parent.yml | - '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_execution_path_webserver.yml | - '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_powershell_parent_process.yml | - '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_service_dir.yml | - '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_svchost.yml | - '\services.exe' |
DRL 1.0 |
| sigma | proc_creation_win_system_exe_anomaly.yml | - '\services.exe' |
DRL 1.0 |
| malware-ioc | misp-badiis.json | "description": "Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039).\n\n[PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals)\n\nAdversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.", |
© ESET 2014-2018 |
| atomic-red-team | T1569.002.md | <blockquote>Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and Net. |
MIT License. © 2018 Red Canary |
| signature-base | apt_bronze_butler.yar | $s1 = “Services.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_win_plugx.yar | $x1 = “%WINDIR%\SYSTEM32\SERVICES.EXE” fullword wide | CC BY-NC 4.0 |
| signature-base | spy_equation_fiveeyes.yar | $s0 = “SERVICES.EXE” fullword wide | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.