Services
Windows Services are a common form of persistence and privilege escalation on
Windows systems. Service data is stored in the SYSTEM Registry file.
Services run with SYSTEM level privileges.
Other Parsers:
- Any tool that can read the Registry
- Velociraptor
References:
TOML Collection
system = "windows"
[output]
name = "services_collection"
directory = "./tmp"
format = "jsonl"
compress = false
endpoint_id = "6c51b123-1522-4572-9f2a-0bd5abd81b82"
collection_id = 1
output = "local"
[[artifacts]]
artifact_name = "services"
[artifacts.services]
alt_drive = 'C'
Collection Options
alt_driveExpects a single character value. Will use an alternative drive letter when parsingServices. This configuration is optional. By defaultartemiswill use the%systemdrive%value (typicallyC)
Output Structure
An array of Services entries
export interface Services {
/**Current State of the Service */
state: string;
/**Name of Service */
name: string;
/**Display name of Service */
display_name: string;
/**Service description */
description: string;
/**Start mode of Service */
start_mode: string;
/**Path to executable for Service */
path: string;
/**Service types. Ex: KernelDriver */
service_type: string[];
/**Account associated with Service */
account: string;
/**Registry modified timestamp in UNIXEPOCH seconds. May be used to determine when the Service was created */
modified: number;
/**DLL associated with Service */
service_dll: string;
/**Service command upon failure */
failure_command: string;
/**Reset period associated with Service */
reset_period: number;
/**Service actions upon failure */
failure_actions: FailureActions[];
/**Privileges associated with Service */
required_privileges: string[];
/**Error associated with Service */
error_control: string;
/**Registry path associated with Service */
reg_path: string;
}
/**
* Failure actions executed when Service fails
*/
interface FailureActions {
/**Action executed upon failure */
action: string;
/**Delay in seconds on failure */
delay: number;
}