Look at the typical parents of services.exe. It should only ever be launched by wininit.exe. Having knowledge of the typical parents and children of a process can help identify cases where a process may be acting maliciously. If you see services.exe being launched by something other than wininit.exe in your environment, it’s definitely worth investigating for signs of other malicious behavior. Also if the version of services.exe running in your environment doesn’t match one of the common hashes, it’s likely to be a malicious process running under the name of a common windows process, services.exe in this case, to fly under the radar and avoid being noticed.

Services.exe should never launch a shell (i.e. CMD, PowerShell, MSBuild, Linux subsystem). However, this scenario has historically been the case in targeted attacks and penetration tests. Initial response should include looking for further suspicious activity from the command shell tree as well as inquiring of the system owner or administrator if this activity is expected.