T1007.md

T1007 - System Service Discovery

Description from ATT&CK

Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using [Tasklist](https://attack.mitre.org/software/S0057), and "net start" using [Net](https://attack.mitre.org/software/S0039), but adversaries may also use other tools as well. Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Atomic Tests

• Atomic Test #1 - System Service Discovery

• Atomic Test #2 - System Service Discovery - net.exe

Atomic Test #1 - System Service Discovery

Identify system services

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

tasklist.exe
sc query
sc query state= all

Atomic Test #2 - System Service Discovery - net.exe

Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
output_file	Path of file to hold net.exe output	Path	C:\Windows\Temp\service-list.txt

Attack Commands: Run with command_prompt!

net.exe start >> #{output_file}

Cleanup Commands:

del /f /q /s #{output_file} >nul 2>&1