atomics/T1007/T1007.md

# T1007 - System Service Discovery
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1007)
<blockquote>

Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>. Adversaries may also gather information about schedule tasks via commands such as `schtasks` on Windows or `crontab -l` on Linux and macOS.(Citation: Elastic Security Labs GOSAR 2024)(Citation: SentinelLabs macOS Malware 2021)(Citation: Splunk Linux Gormir 2024)(Citation: Aquasec Kinsing 2020)

Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

</blockquote>

## Atomic Tests

- [Atomic Test #1 - System Service Discovery](#atomic-test-1---system-service-discovery)

- [Atomic Test #2 - System Service Discovery - net.exe](#atomic-test-2---system-service-discovery---netexe)

- [Atomic Test #3 - System Service Discovery - systemctl/service](#atomic-test-3---system-service-discovery---systemctlservice)

- [Atomic Test #4 - Get-Service Execution](#atomic-test-4---get-service-execution)


<br/>

## Atomic Test #1 - System Service Discovery
Identify system services.

Upon successful execution, cmd.exe will execute service commands with expected result to stdout.

**Supported Platforms:** Windows


**auto_generated_guid:** 89676ba1-b1f8-47ee-b940-2e1a113ebc71


#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 


```cmd
tasklist.exe
sc query
sc query state= all
```


<br/>
<br/>

## Atomic Test #2 - System Service Discovery - net.exe
Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.

Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in in the temp directory called service-list.txt.

**Supported Platforms:** Windows


**auto_generated_guid:** 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3


#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path of file to hold net.exe output | path | %temp%&#92;service-list.txt|


#### Attack Commands: Run with `command_prompt`! 


```cmd
net.exe start >> #{output_file}
```

#### Cleanup Commands:
```cmd
del /f /q /s #{output_file} >nul 2>&1
```


<br/>
<br/>

## Atomic Test #3 - System Service Discovery - systemctl/service
Enumerates system service using systemctl/service

**Supported Platforms:** Linux


**auto_generated_guid:** f4b26bce-4c2c-46c0-bcc5-fce062d38bef


#### Attack Commands: Run with `bash`! 


```bash
if [ "$(uname)" = 'FreeBSD' ]; then service -e; else systemctl --type=service; fi;
```


<br/>
<br/>

## Atomic Test #4 - Get-Service Execution
Executes the Get-Service cmdlet to gather objects representing all services on the local system.

**Supported Platforms:** Windows


**auto_generated_guid:** 51f17016-d8fa-4360-888a-df4bf92c4a04


#### Attack Commands: Run with `command_prompt`! 


```cmd
powershell.exe Get-Service
```


<br/>
Generate docs from job=validate_atomics_generate_docs branch=master 2020-06-18 01:57:35 +00:00			`# T1007 - System Service Discovery`
Generate docs from job=validate_atomics_generate_docs branch=master 2020-09-29 13:53:28 +00:00			`## [Description from ATT&CK](https://attack.mitre.org/techniques/T1007)`
Generated docs from job=generate-docs branch=master [ci skip] 2025-02-13 22:03:40 +00:00			`<blockquote>`
Generated docs from job=generate-docs branch=master [ci skip] 2022-06-16 22:47:00 +00:00
Generated docs from job=generate-docs branch=master [ci skip] 2025-11-05 01:55:34 +00:00			Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>. Adversaries may also gather information about schedule tasks via commands such as `schtasks` on Windows or `crontab -l` on Linux and macOS.(Citation: Elastic Security Labs GOSAR 2024)(Citation: SentinelLabs macOS Malware 2021)(Citation: Splunk Linux Gormir 2024)(Citation: Aquasec Kinsing 2020)
Generated docs from job=generate-docs branch=master [ci skip] 2025-02-13 22:03:40 +00:00
			`Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.`

			`</blockquote>`
Generate docs from job=validate_atomics_generate_docs branch=master 2020-06-18 01:57:35 +00:00
			`## Atomic Tests`

			`- [Atomic Test #1 - System Service Discovery](#atomic-test-1---system-service-discovery)`

			`- [Atomic Test #2 - System Service Discovery - net.exe](#atomic-test-2---system-service-discovery---netexe)`

Generated docs from job=generate-docs branch=master [ci skip] 2023-11-13 21:46:56 +00:00			`- [Atomic Test #3 - System Service Discovery - systemctl/service](#atomic-test-3---system-service-discovery---systemctlservice)`
Generated docs from job=generate-docs branch=master [ci skip] 2023-11-02 00:56:51 +00:00
Generated docs from job=generate-docs branch=master [ci skip] 2024-10-17 00:25:05 +00:00			`- [Atomic Test #4 - Get-Service Execution](#atomic-test-4---get-service-execution)`

Generate docs from job=validate_atomics_generate_docs branch=master 2020-06-18 01:57:35 +00:00
			`<br/>`

			`## Atomic Test #1 - System Service Discovery`
			`Identify system services.`

			`Upon successful execution, cmd.exe will execute service commands with expected result to stdout.`
Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-06-24 17:04:33 +00:00
Generate docs from job=validate_atomics_generate_docs branch=master 2020-06-18 01:57:35 +00:00			`Supported Platforms: Windows`


Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-06-24 17:04:33 +00:00			`auto_generated_guid: 89676ba1-b1f8-47ee-b940-2e1a113ebc71`



Generate docs from job=validate_atomics_generate_docs branch=master 2020-06-18 01:57:35 +00:00


			#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)


			```cmd
			`tasklist.exe`
			`sc query`
			`sc query state= all`
			```






			`<br/>`
			`<br/>`

			`## Atomic Test #2 - System Service Discovery - net.exe`
			`Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.`

Generated docs from job=generate-docs branch=master [ci skip] 2022-12-14 20:35:27 +00:00			`Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in in the temp directory called service-list.txt.`
Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-06-24 17:04:33 +00:00
Generate docs from job=validate_atomics_generate_docs branch=master 2020-06-18 01:57:35 +00:00			`Supported Platforms: Windows`


Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-06-24 17:04:33 +00:00			`auto_generated_guid: 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3`



Generate docs from job=validate_atomics_generate_docs branch=master 2020-06-18 01:57:35 +00:00

			`#### Inputs:`
Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-06-24 15:16:54 +00:00			`\| Name \| Description \| Type \| Default Value \|`
Generate docs from job=validate_atomics_generate_docs branch=master 2020-06-18 01:57:35 +00:00			`\|------\|-------------\|------\|---------------\|`
Generated docs from job=generate-docs branch=master [ci skip] 2023-02-13 23:11:19 +00:00			`\| output_file \| Path of file to hold net.exe output \| path \| %temp%\service-list.txt\|`
Generate docs from job=validate_atomics_generate_docs branch=master 2020-06-18 01:57:35 +00:00

			#### Attack Commands: Run with `command_prompt`!


			```cmd
			`net.exe start >> #{output_file}`
			```

			`#### Cleanup Commands:`
			```cmd
			`del /f /q /s #{output_file} >nul 2>&1`
			```





Generated docs from job=generate-docs branch=master [ci skip] 2022-04-29 21:06:05 +00:00			`<br/>`
			`<br/>`

Generated docs from job=generate-docs branch=master [ci skip] 2023-11-13 21:46:56 +00:00			`## Atomic Test #3 - System Service Discovery - systemctl/service`
			`Enumerates system service using systemctl/service`
Generated docs from job=generate-docs branch=master [ci skip] 2022-04-29 21:06:05 +00:00
			`Supported Platforms: Linux`


			`auto_generated_guid: f4b26bce-4c2c-46c0-bcc5-fce062d38bef`






			#### Attack Commands: Run with `bash`!


			```bash
Generated docs from job=generate-docs branch=master [ci skip] 2023-11-13 21:46:56 +00:00			`if [ "$(uname)" = 'FreeBSD' ]; then service -e; else systemctl --type=service; fi;`
Generated docs from job=generate-docs branch=master [ci skip] 2023-11-02 00:56:51 +00:00			```






Generated docs from job=generate-docs branch=master [ci skip] 2024-10-17 00:25:05 +00:00			`<br/>`
			`<br/>`

			`## Atomic Test #4 - Get-Service Execution`
			`Executes the Get-Service cmdlet to gather objects representing all services on the local system.`

			`Supported Platforms: Windows`


			`auto_generated_guid: 51f17016-d8fa-4360-888a-df4bf92c4a04`






			#### Attack Commands: Run with `command_prompt`!


			```cmd
			`powershell.exe Get-Service`
			```






Generate docs from job=validate_atomics_generate_docs branch=master 2020-06-18 01:57:35 +00:00			`<br/>`