anavem.
Medium RiskWindowsLegitimateCommonly Abused
alg.exeSYSTEM SERVICE

alg.exe - Application Layer Gateway Security Analysis

alg.exe (Application Layer Gateway Service) provides support for **third-party protocol plug-ins** for Internet Connection Sharing (ICS) and Windows Firewall. It enables FTP, PPTP, and other protocols requiring NAT traversal. Attackers abuse it for **firewall bypass** and masquerade malware using this trusted process name.

Risk Summary

MEDIUM priority for SOC triage. alg.exe is a Windows service that runs as NETWORK SERVICE. Monitor for instances outside System32, unusual parent processes, or unexpected network connections to non-standard ports.

Overview

What is alg.exe?

alg.exe (Application Layer Gateway) is a Windows service that provides support for application-level protocol plugins.

Core Functions

Protocol Support:

  • Enables FTP through NAT/firewall
  • Supports PPTP VPN connections
  • Handles SIP/RTC communications
  • Manages protocol-specific port mappings

Firewall Integration:

  • Works with Windows Firewall
  • Supports Internet Connection Sharing
  • Manages dynamic port allocation

Security Significance

  • Network Access: Has legitimate network capabilities
  • Service Context: Runs as NETWORK SERVICE
  • Firewall Integration: Can modify firewall behavior
  • Legacy Service: Often disabled in modern environments

Normal Behavior

Normal Behavior

Expected Process State

PropertyExpected Value
PathC:\Windows\System32\alg.exe
Parentservices.exe
Instances0-1 (may not be running)
UserNT AUTHORITY\NETWORK SERVICE
NetworkFTP, PPTP ports when active
Memory1-3 MB

Service Configuration

Service Name: ALG Display Name: Application Layer Gateway Service Startup Type: Manual (Trigger Start)

services.exe
└── alg.exe (NETWORK SERVICE)

Common Locations

C:\Windows\System32\alg.exe

Suspicious Indicators

Legitimate vs Suspicious

LEGITIMATE

Path:        C:\Windows\System32\alg.exe
Parent:      services.exe
Instances:   0-1
User:        NT AUTHORITY\NETWORK SERVICE
Network:     FTP (21), PPTP (1723) only

SUSPICIOUS

Path:        C:\Windows\alg.exe
             C:\Temp\alg.exe
Parent:      cmd.exe, explorer.exe
Instances:   Multiple
User:        Administrator, standard user
Network:     HTTP/HTTPS, C2 ports

Comparison Table

IndicatorLegitimateSuspiciousRisk
PathSystem32ElsewhereCRITICAL
Parentservices.exeOtherCRITICAL
UserNETWORK SERVICEOtherHIGH
NetworkProtocol portsC2 portsCRITICAL

Abuse Techniques

Attack Techniques

Technique #1: Process Masquerading (T1036.005)

Malware using alg.exe name to appear legitimate.

Common Malicious Locations:

C:\Windows\alg.exe
C:\Users\Public\alg.exe
C:\ProgramData\alg.exe

Technique #2: Service Abuse (T1543.003)

Replacing legitimate alg.exe with malicious version:

sc stop alg
copy malware.exe C:\Windows\System32\alg.exe
sc start alg

Technique #3: Network Evasion

Using alg.exe name for network traffic that appears as legitimate protocol traffic.

Detection Guidance

Detection Strategies

Priority #1: Path Verification

Process = "alg.exe" AND
Path != "C:\Windows\System32\alg.exe"
→ ALERT: CRITICAL

PowerShell Check:

Get-Process alg -ErrorAction SilentlyContinue | ForEach-Object {
    if ($_.Path -ne "C:\Windows\System32\alg.exe") {
        Write-Warning "SUSPICIOUS alg.exe: $($_.Path)"
    }
}

Priority #2: Parent Process Validation

Process = "alg.exe" AND
Parent != "services.exe"
→ ALERT: CRITICAL

Priority #3: Service Integrity

$algService = Get-WmiObject Win32_Service -Filter "Name='ALG'"
if ($algService.PathName -notlike "*System32*") {
    Write-Warning "ALG service binary modified"
}

Remediation Steps

Protection and Remediation

Defense: Disable if Unused

If ICS not required:

Set-Service -Name ALG -StartupType Disabled

Defense: File Integrity Monitoring

Monitor C:\Windows\System32\alg.exe for changes.

If Compromise Suspected

  1. Stop the ALG service
  2. Verify alg.exe hash against known-good
  3. Check for alg.exe in non-standard locations
  4. Review network connections
  5. Restore from known-good backup if tampered

Investigation Checklist

Investigation Checklist

  • Verify path is C:\Windows\System32\alg.exe
  • Confirm parent is services.exe
  • Check running as NETWORK SERVICE
  • Review network connections for anomalies
  • Validate service binary path
  • Compare hash with known-good
  • Search for alg.exe copies elsewhere
  • Check if service should be running at all

MITRE ATT&CK Techniques

T1036.005T1543.003T1071

Related Windows Files

EXCEL.EXEhigh

EXCEL.EXE is **Microsoft Excel**, the spreadsheet application and a **primary malware delivery vecto...

Commonly Abused
everything.exelow

Everything is a fast file search utility by Voidtools. Attackers may use it for rapid file discovery...

expressvpn.exemedium

ExpressVPN is a commercial VPN service client. While legitimate for privacy, it can be abused for C2...

hitmanpro.exelow

HitmanPro is a portable anti-malware scanner from Sophos. It uses cloud-based behavioral analysis to...

Last verified: January 18, 2026