T1007

Description from ATT&CK

Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as sc query, tasklist /svc, systemctl --type=service, and net start. Adversaries may also gather information about schedule tasks via commands such as schtasks on Windows or crontab -l on Linux and macOS.(Citation: Elastic Security Labs GOSAR 2024)(Citation: SentinelLabs macOS Malware 2021)(Citation: Splunk Linux Gormir 2024)(Citation: Aquasec Kinsing 2020)

Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Atomic Tests

Atomic Test #1 - System Service Discovery
Atomic Test #2 - System Service Discovery - net.exe
Atomic Test #3 - System Service Discovery - systemctl/service
Atomic Test #4 - Get-Service Execution
Atomic Test #5 - System Service Discovery - macOS launchctl
Atomic Test #6 - System Service Discovery - Windows Scheduled Tasks (schtasks)
Atomic Test #7 - System Service Discovery - Services Registry Enumeration
Atomic Test #8 - System Service Discovery - Linux init scripts

Atomic Test #1 - System Service Discovery

Identify system services.

Upon successful execution, cmd.exe will execute service commands with expected result to stdout.

Supported Platforms: Windows

auto_generated_guid: 89676ba1-b1f8-47ee-b940-2e1a113ebc71

Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

tasklist.exe /svc
sc query
sc query state= all

Atomic Test #2 - System Service Discovery - net.exe

Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.

Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in in the temp directory called service-list.txt.

Supported Platforms: Windows

auto_generated_guid: 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3

Inputs:

Name	Description	Type	Default Value
output_file	Path of file to hold net.exe output	path	%temp%\service-list.txt

Attack Commands: Run with `command_prompt`!

net.exe start >> #{output_file}

Cleanup Commands:

del /f /q /s #{output_file} >nul 2>&1

Atomic Test #3 - System Service Discovery - systemctl/service

Enumerates system service using systemctl/service

Supported Platforms: Linux

auto_generated_guid: f4b26bce-4c2c-46c0-bcc5-fce062d38bef

Attack Commands: Run with `bash`!

if [ "$(uname)" = 'FreeBSD' ]; then service -e; else systemctl --type=service; fi;

Atomic Test #4 - Get-Service Execution

Executes the Get-Service cmdlet to gather objects representing all services on the local system.

Supported Platforms: Windows

auto_generated_guid: 51f17016-d8fa-4360-888a-df4bf92c4a04

Attack Commands: Run with `command_prompt`!

powershell.exe Get-Service

Atomic Test #5 - System Service Discovery - macOS launchctl

Enumerates services on macOS using launchctl. Used by adversaries for identifying daemons, background services, and persistence mechanisms.

Supported Platforms: macOS

auto_generated_guid: 9b378962-a75e-4856-b117-2503d6dcebba

Attack Commands: Run with `sh`!

launchctl list

Atomic Test #6 - System Service Discovery - Windows Scheduled Tasks (schtasks)

Enumerates scheduled tasks on Windows using schtasks.exe.

Supported Platforms: Windows

auto_generated_guid: 7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a

Attack Commands: Run with `command_prompt`!

schtasks /query /fo LIST /v

Atomic Test #7 - System Service Discovery - Services Registry Enumeration

Enumerates Windows services by reading the Services registry key (HKLM\SYSTEM\CurrentControlSet\Services) instead of using Service Control Manager APIs or CLI tools such as sc.exe or Get-Service.

Supported Platforms: Windows

auto_generated_guid: d70d82bd-bb00-4837-b146-b40d025551b2

Attack Commands: Run with `powershell`!

Get-ChildItem -Path 'HKLM:\SYSTEM\CurrentControlSet\Services' |
  ForEach-Object {
    $p = Get-ItemProperty -Path $_.PSPath -ErrorAction SilentlyContinue
    [PSCustomObject]@{
      Name        = $_.PSChildName
      DisplayName = $p.DisplayName
      ImagePath   = $p.ImagePath
      StartType   = $p.Start
    }
  }

Atomic Test #8 - System Service Discovery - Linux init scripts

Enumerates system services by listing SysV init scripts and runlevel symlinks under /etc/init.d and /etc/rc*.d.

Supported Platforms: Linux

auto_generated_guid: 8f2a5d2b-4018-46d4-8f3f-0fea53754690

Attack Commands: Run with `sh`!

echo "[*] Listing SysV init scripts (/etc/init.d):"
if [ -d /etc/init.d ]; then ls -l /etc/init.d; else echo "/etc/init.d not present on this system"; fi
echo
echo "[*] Listing runlevel directories (/etc/rc*.d):"
ls -ld /etc/rc*.d 2>/dev/null || echo "No /etc/rc*.d directories found"

T1007

On this page