Skip to content
Atomic Red Team
atomics
T1007

T1007 - System Service Discovery

Description from ATT&CK (opens in a new tab)

Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as sc query, tasklist /svc, systemctl --type=service, and net start.

Adversaries may use the information from System Service Discovery (opens in a new tab) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Atomic Tests


Atomic Test #1 - System Service Discovery

Identify system services.

Upon successful execution, cmd.exe will execute service commands with expected result to stdout.

Supported Platforms: Windows

auto_generated_guid: 89676ba1-b1f8-47ee-b940-2e1a113ebc71

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

tasklist.exe
sc query
sc query state= all


Atomic Test #2 - System Service Discovery - net.exe

Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.

Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in in the temp directory called service-list.txt.

Supported Platforms: Windows

auto_generated_guid: 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3

Inputs:

NameDescriptionTypeDefault Value
output_filePath of file to hold net.exe outputpath%temp%\service-list.txt

Attack Commands: Run with command_prompt!

net.exe start >> #{output_file}

Cleanup Commands:

del /f /q /s #{output_file} >nul 2>&1


Atomic Test #3 - System Service Discovery - systemctl/service

Enumerates system service using systemctl/service

Supported Platforms: Linux

auto_generated_guid: f4b26bce-4c2c-46c0-bcc5-fce062d38bef

Attack Commands: Run with bash!

if [ "$(uname)" = 'FreeBSD' ]; then service -e; else systemctl --type=service; fi;


Atomic Test #4 - Get-Service Execution

Executes the Get-Service cmdlet to gather objects representing all services on the local system.

Supported Platforms: Windows

auto_generated_guid: 51f17016-d8fa-4360-888a-df4bf92c4a04

Attack Commands: Run with command_prompt!

powershell.exe Get-Service

T1006T1010