atomics/T1007/T1007.yaml

attack_technique: T1007
display_name: System Service Discovery
atomic_tests:
- name: System Service Discovery
  auto_generated_guid: 89676ba1-b1f8-47ee-b940-2e1a113ebc71
  description: |
    Identify system services.

    Upon successful execution, cmd.exe will execute service commands with expected result to stdout.
  supported_platforms:
  - windows
  executor:
    command: |
      tasklist.exe
      sc query
      sc query state= all
    name: command_prompt
    elevation_required: true
- name: System Service Discovery - net.exe
  auto_generated_guid: 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3
  description: |
    Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.

    Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in in the temp directory called service-list.txt.
  supported_platforms:
  - windows
  input_arguments:
    output_file:
      description: Path of file to hold net.exe output
      type: path
      default: '%temp%\service-list.txt'
  executor:
    command: |
      net.exe start >> #{output_file}
    cleanup_command: |
      del /f /q /s #{output_file} >nul 2>&1
    name: command_prompt
- name: System Service Discovery - systemctl/service
  auto_generated_guid: f4b26bce-4c2c-46c0-bcc5-fce062d38bef
  description: |
    Enumerates system service using systemctl/service
  supported_platforms:
  - linux
  executor:
    command: |
      if [ "$(uname)" = 'FreeBSD' ]; then service -e; else systemctl --type=service; fi;
    name: bash
- name: Get-Service Execution
  auto_generated_guid: 51f17016-d8fa-4360-888a-df4bf92c4a04
  description: Executes the Get-Service cmdlet to gather objects representing all services on the local system.
  supported_platforms:
  - windows
  executor:
    name: command_prompt
    command: powershell.exe Get-Service
T1007 2018-05-25 08:09:15 -04:00			`attack_technique: T1007`
			`display_name: System Service Discovery`
			`atomic_tests:`
			`- name: System Service Discovery`
Generate docs from job=validate_atomics_generate_docs branch=master 2020-05-15 17:19:25 +00:00			`auto_generated_guid: 89676ba1-b1f8-47ee-b940-2e1a113ebc71`
T1007 2018-05-25 08:09:15 -04:00			`description: \|`
Updated Descriptions (#897 ) 2020-03-19 21:23:10 -06:00			`Identify system services.`

			`Upon successful execution, cmd.exe will execute service commands with expected result to stdout.`
T1007 2018-05-25 08:09:15 -04:00			`supported_platforms:`
Convert to Mitre ATT&CK sub-technique schema (#1056 ) 2020-06-17 12:55:46 -06:00			`- windows`
T1007 2018-05-25 08:09:15 -04:00			`executor:`
			`command: \|`
			`tasklist.exe`
			`sc query`
			`sc query state= all`
Convert to Mitre ATT&CK sub-technique schema (#1056 ) 2020-06-17 12:55:46 -06:00			`name: command_prompt`
			`elevation_required: true`
T1007 Service Discovery Net Start to File (#428 ) 2018-12-13 10:06:48 -06:00			`- name: System Service Discovery - net.exe`
Generate docs from job=validate_atomics_generate_docs branch=master 2020-05-15 17:19:25 +00:00			`auto_generated_guid: 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3`
T1007 Service Discovery Net Start to File (#428 ) 2018-12-13 10:06:48 -06:00			`description: \|`
			`Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.`
Updated Descriptions (#897 ) 2020-03-19 21:23:10 -06:00
fix typo, user temp directory (#2238 ) 2022-12-14 13:34:57 -07:00			`Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in in the temp directory called service-list.txt.`
T1007 Service Discovery Net Start to File (#428 ) 2018-12-13 10:06:48 -06:00			`supported_platforms:`
Convert to Mitre ATT&CK sub-technique schema (#1056 ) 2020-06-17 12:55:46 -06:00			`- windows`
T1007 Service Discovery Net Start to File (#428 ) 2018-12-13 10:06:48 -06:00			`input_arguments:`
			`output_file:`
			`description: Path of file to hold net.exe output`
fix: Updating atomics YAML file structure to align with the new JSON schema definition (#2323 ) 2023-02-13 17:10:37 -06:00			`type: path`
fix typo, user temp directory (#2238 ) 2022-12-14 13:34:57 -07:00			`default: '%temp%\service-list.txt'`
T1007 Service Discovery Net Start to File (#428 ) 2018-12-13 10:06:48 -06:00			`executor:`
			`command: \|`
			`net.exe start >> #{output_file}`
added cleanup_command (#802 ) 2020-01-27 14:30:56 -06:00			`cleanup_command: \|`
fixed (#827 ) 2020-02-07 18:29:17 -06:00			`del /f /q /s #{output_file} >nul 2>&1`
Convert to Mitre ATT&CK sub-technique schema (#1056 ) 2020-06-17 12:55:46 -06:00			`name: command_prompt`
FreeBSD Cleanup (#2603 ) 2023-11-13 16:45:43 -05:00			`- name: System Service Discovery - systemctl/service`
Generate GUIDs from job=generate-docs branch=master [skip ci] 2022-04-29 21:06:00 +00:00			`auto_generated_guid: f4b26bce-4c2c-46c0-bcc5-fce062d38bef`
Update T1007.yaml (#1909 ) 2022-04-29 23:05:33 +02:00			`description: \|`
FreeBSD Cleanup (#2603 ) 2023-11-13 16:45:43 -05:00			`Enumerates system service using systemctl/service`
Update T1007.yaml (#1909 ) 2022-04-29 23:05:33 +02:00			`supported_platforms:`
			`- linux`
			`executor:`
			`command: \|`
FreeBSD Cleanup (#2603 ) 2023-11-13 16:45:43 -05:00			`if [ "$(uname)" = 'FreeBSD' ]; then service -e; else systemctl --type=service; fi;`
Update T1007.yaml (#2958 ) 2024-10-17 03:24:11 +03:00			`name: bash`
			`- name: Get-Service Execution`
Generated docs from job=generate-docs branch=master [ci skip] 2024-10-17 00:25:05 +00:00			`auto_generated_guid: 51f17016-d8fa-4360-888a-df4bf92c4a04`
Update T1007.yaml (#2958 ) 2024-10-17 03:24:11 +03:00			`description: Executes the Get-Service cmdlet to gather objects representing all services on the local system.`
			`supported_platforms:`
			`- windows`
			`executor:`
			`name: command_prompt`
			`command: powershell.exe Get-Service`