Windows runs the Service Control Manager (SCM) within the process services.exe. Windows launches services as independent processes or DLL loads within a svchost.exe group. To be a legitimate service, a process (or DLL) must have the appropriate service entry point SvcMain. If an application does not have the entry point, then it will timeout (default is 30 seconds) and the process will be killed.

To survive the timeout, adversaries and red teams can create services that direct to cmd.exe with the flag /c, followed by the desired command. The /c flag causes the command shell to run a command and immediately exit. As a result, the desired program will remain running and it will report an error starting the service. This analytic will catch that command prompt instance that is used to launch the actual malicious executable. Additionally, the children and descendants of services.exe will run as a SYSTEM user by default. Thus, services are a convenient way for an adversary to gain Persistence and Privilege Escalation.

ATT&CK Detections

Technique Subtechnique(s) Tactic(s) Level of Coverage
Create or Modify System Process Windows Service Persistence, Privilege Escalation Moderate

D3FEND Techniques

ID Name
D3-PLA Process Lineage Analysis

Data Model References

Object Action Field
process create exe
process create parent_exe



Returns all processes named cmd.exe that have services.exe as a parent process. Because this should never happen, the /c flag is redundant in the search.

process = search Process:Create
cmd = filter process where (exe == "cmd.exe" and parent_exe == "services.exe")
output cmd

Splunk, Sysmon native

The Splunk version of the above pseudocode.

index=__your_sysmon_index__ EventCode=1 Image="C:\\Windows\\*\\cmd.exe" ParentImage="C:\\Windows\\*\\services.exe"

Eql, EQL native

EQL version of the above pseudocode.

process where subtype.create and
  (process_name == "cmd.exe" and parent_process_name == "services.exe")

Dnif, Sysmon native

DNIF version of the above pseudocode.

_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=cmd.exe AND $ParentProcess=regex(.*services.exe.*)i limit 30

Logpoint, LogPoint native

LogPoint version of the above pseudocode.

norm_id=WindowsSysmon event_id=1 image="C:\Windows\System32\cmd.exe" parent_image="C:\Windows\System32\services.exe"