Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -1923,6 +1923,10 @@ discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f
 discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt
 discovery,T1007,System Service Discovery,3,System Service Discovery - systemctl/service,f4b26bce-4c2c-46c0-bcc5-fce062d38bef,bash
 discovery,T1007,System Service Discovery,4,Get-Service Execution,51f17016-d8fa-4360-888a-df4bf92c4a04,command_prompt
+discovery,T1007,System Service Discovery,5,System Service Discovery - macOS launchctl,9b378962-a75e-4856-b117-2503d6dcebba,sh
+discovery,T1007,System Service Discovery,6,System Service Discovery - Windows Scheduled Tasks (schtasks),7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a,command_prompt
+discovery,T1007,System Service Discovery,7,System Service Discovery - Services Registry Enumeration,d70d82bd-bb00-4837-b146-b40d025551b2,powershell
+discovery,T1007,System Service Discovery,8,System Service Discovery - Linux init scripts,8f2a5d2b-4018-46d4-8f3f-0fea53754690,sh
 discovery,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash
 discovery,T1040,Network Sniffing,2,Packet Capture FreeBSD using tshark or tcpdump,c93f2492-9ebe-44b5-8b45-36574cccfe67,sh
 discovery,T1040,Network Sniffing,3,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -344,6 +344,7 @@ discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtu
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (FreeBSD),e129d73b-3e03-4ae9-bf1e-67fc8921e0fd,sh
 discovery,T1069.002,Permission Groups Discovery: Domain Groups,15,Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS,d58d749c-4450-4975-a9e9-8b1d562755c2,sh
 discovery,T1007,System Service Discovery,3,System Service Discovery - systemctl/service,f4b26bce-4c2c-46c0-bcc5-fce062d38bef,bash
+discovery,T1007,System Service Discovery,8,System Service Discovery - Linux init scripts,8f2a5d2b-4018-46d4-8f3f-0fea53754690,sh
 discovery,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash
 discovery,T1040,Network Sniffing,2,Packet Capture FreeBSD using tshark or tcpdump,c93f2492-9ebe-44b5-8b45-36574cccfe67,sh
 discovery,T1040,Network Sniffing,10,Packet Capture FreeBSD using /dev/bpfN with sudo,e2028771-1bfb-48f5-b5e6-e50ee0942a14,sh

atomics/Indexes/Indexes-CSV/macos-index.csv

@@ -230,6 +230,7 @@ discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtu
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,6,Detect Virtualization Environment using sysctl (hw.model),6beae646-eb4c-4730-95be-691a4094408c,sh
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,7,Check if System Integrity Protection is enabled,2b73cd9b-b2fb-4357-b9d7-c73c41d9e945,sh
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,8,Detect Virtualization Environment using system_profiler,e04d2e89-de15-4d90-92f9-a335c7337f0f,sh
+discovery,T1007,System Service Discovery,5,System Service Discovery - macOS launchctl,9b378962-a75e-4856-b117-2503d6dcebba,sh
 discovery,T1040,Network Sniffing,3,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
 discovery,T1040,Network Sniffing,8,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
 discovery,T1040,Network Sniffing,9,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -1329,6 +1329,8 @@ discovery,T1069.002,Permission Groups Discovery: Domain Groups,14,Active Directo
 discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f8-47ee-b940-2e1a113ebc71,command_prompt
 discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt
 discovery,T1007,System Service Discovery,4,Get-Service Execution,51f17016-d8fa-4360-888a-df4bf92c4a04,command_prompt
+discovery,T1007,System Service Discovery,6,System Service Discovery - Windows Scheduled Tasks (schtasks),7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a,command_prompt
+discovery,T1007,System Service Discovery,7,System Service Discovery - Services Registry Enumeration,d70d82bd-bb00-4837-b146-b40d025551b2,powershell
 discovery,T1040,Network Sniffing,4,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
 discovery,T1040,Network Sniffing,5,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
 discovery,T1040,Network Sniffing,6,Windows Internal pktmon capture,c67ba807-f48b-446e-b955-e4928cd1bf91,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -2624,6 +2624,10 @@
   - Atomic Test #2: System Service Discovery - net.exe [windows]
   - Atomic Test #3: System Service Discovery - systemctl/service [linux]
   - Atomic Test #4: Get-Service Execution [windows]
+  - Atomic Test #5: System Service Discovery - macOS launchctl [macos]
+  - Atomic Test #6: System Service Discovery - Windows Scheduled Tasks (schtasks) [windows]
+  - Atomic Test #7: System Service Discovery - Services Registry Enumeration [windows]
+  - Atomic Test #8: System Service Discovery - Linux init scripts [linux]
 - [T1040 Network Sniffing](../../T1040/T1040.md)
   - Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
   - Atomic Test #2: Packet Capture FreeBSD using tshark or tcpdump [linux]

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -750,6 +750,7 @@
   - Atomic Test #15: Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS [linux]
 - [T1007 System Service Discovery](../../T1007/T1007.md)
   - Atomic Test #3: System Service Discovery - systemctl/service [linux]
+  - Atomic Test #8: System Service Discovery - Linux init scripts [linux]
 - [T1040 Network Sniffing](../../T1040/T1040.md)
   - Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
   - Atomic Test #2: Packet Capture FreeBSD using tshark or tcpdump [linux]

atomics/Indexes/Indexes-Markdown/macos-index.md

@@ -669,7 +669,8 @@
   - Atomic Test #7: Check if System Integrity Protection is enabled [macos]
   - Atomic Test #8: Detect Virtualization Environment using system_profiler [macos]
 - T1069.002 Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1007 System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1007 System Service Discovery](../../T1007/T1007.md)
+  - Atomic Test #5: System Service Discovery - macOS launchctl [macos]
 - [T1040 Network Sniffing](../../T1040/T1040.md)
   - Atomic Test #3: Packet Capture macOS using tcpdump or tshark [macos]
   - Atomic Test #8: Packet Capture macOS using /dev/bpfN with sudo [macos]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -1861,6 +1861,8 @@
   - Atomic Test #1: System Service Discovery [windows]
   - Atomic Test #2: System Service Discovery - net.exe [windows]
   - Atomic Test #4: Get-Service Execution [windows]
+  - Atomic Test #6: System Service Discovery - Windows Scheduled Tasks (schtasks) [windows]
+  - Atomic Test #7: System Service Discovery - Services Registry Enumeration [windows]
 - [T1040 Network Sniffing](../../T1040/T1040.md)
   - Atomic Test #4: Packet Capture Windows Command Prompt [windows]
   - Atomic Test #5: Windows Internal Packet Capture [windows]

atomics/Indexes/Matrices/macos-matrix.md

@@ -9,7 +9,7 @@
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Web Session Cookie](../../T1539/T1539.md) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | [System Service Discovery](../../T1007/T1007.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Services: Launchctl](../../T1569.001/T1569.001.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) |  | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ccache Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Clipboard Data](../../T1115/T1115.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |

atomics/Indexes/index.yaml

@@ -101654,7 +101654,7 @@ discovery:
       - windows
       executor:
         command: |
-          tasklist.exe
+          tasklist.exe /svc
           sc query
           sc query state= all
         name: command_prompt
@@ -101702,6 +101702,62 @@ discovery:
       executor:
         name: command_prompt
         command: powershell.exe Get-Service
+    - name: System Service Discovery - macOS launchctl
+      auto_generated_guid: 9b378962-a75e-4856-b117-2503d6dcebba
+      description: |
+        Enumerates services on macOS using launchctl. Used by adversaries for
+        identifying daemons, background services, and persistence mechanisms.
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: launchctl list
+    - name: System Service Discovery - Windows Scheduled Tasks (schtasks)
+      auto_generated_guid: 7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a
+      description: 'Enumerates scheduled tasks on Windows using schtasks.exe.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        command: schtasks /query /fo LIST /v
+    - name: System Service Discovery - Services Registry Enumeration
+      auto_generated_guid: d70d82bd-bb00-4837-b146-b40d025551b2
+      description: |
+        Enumerates Windows services by reading the Services registry key
+        (HKLM\SYSTEM\CurrentControlSet\Services) instead of using Service Control
+        Manager APIs or CLI tools such as sc.exe or Get-Service.
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        command: |
+          Get-ChildItem -Path 'HKLM:\SYSTEM\CurrentControlSet\Services' |
+            ForEach-Object {
+              $p = Get-ItemProperty -Path $_.PSPath -ErrorAction SilentlyContinue
+              [PSCustomObject]@{
+                Name        = $_.PSChildName
+                DisplayName = $p.DisplayName
+                ImagePath   = $p.ImagePath
+                StartType   = $p.Start
+              }
+            }
+    - name: System Service Discovery - Linux init scripts
+      auto_generated_guid: 8f2a5d2b-4018-46d4-8f3f-0fea53754690
+      description: |
+        Enumerates system services by listing SysV init scripts and runlevel
+        symlinks under /etc/init.d and /etc/rc*.d.
+      supported_platforms:
+      - linux
+      executor:
+        name: sh
+        command: |
+          echo "[*] Listing SysV init scripts (/etc/init.d):"
+          if [ -d /etc/init.d ]; then ls -l /etc/init.d; else echo "/etc/init.d not present on this system"; fi
+          echo
+          echo "[*] Listing runlevel directories (/etc/rc*.d):"
+          ls -ld /etc/rc*.d 2>/dev/null || echo "No /etc/rc*.d directories found"
   T1040:
     technique:
       type: attack-pattern

atomics/Indexes/linux-index.yaml

@@ -56385,6 +56385,21 @@ discovery:
 
           '
         name: bash
+    - name: System Service Discovery - Linux init scripts
+      auto_generated_guid: 8f2a5d2b-4018-46d4-8f3f-0fea53754690
+      description: |
+        Enumerates system services by listing SysV init scripts and runlevel
+        symlinks under /etc/init.d and /etc/rc*.d.
+      supported_platforms:
+      - linux
+      executor:
+        name: sh
+        command: |
+          echo "[*] Listing SysV init scripts (/etc/init.d):"
+          if [ -d /etc/init.d ]; then ls -l /etc/init.d; else echo "/etc/init.d not present on this system"; fi
+          echo
+          echo "[*] Listing runlevel directories (/etc/rc*.d):"
+          ls -ld /etc/rc*.d 2>/dev/null || echo "No /etc/rc*.d directories found"
   T1040:
     technique:
       type: attack-pattern

atomics/Indexes/macos-index.yaml

@@ -51788,7 +51788,17 @@ discovery:
       - Windows
       x_mitre_version: '1.6'
       identifier: T1007
-    atomic_tests: []
+    atomic_tests:
+    - name: System Service Discovery - macOS launchctl
+      auto_generated_guid: 9b378962-a75e-4856-b117-2503d6dcebba
+      description: |
+        Enumerates services on macOS using launchctl. Used by adversaries for
+        identifying daemons, background services, and persistence mechanisms.
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: launchctl list
   T1040:
     technique:
       type: attack-pattern

atomics/Indexes/windows-index.yaml

@@ -82761,7 +82761,7 @@ discovery:
       - windows
       executor:
         command: |
-          tasklist.exe
+          tasklist.exe /svc
           sc query
           sc query state= all
         name: command_prompt
@@ -82796,6 +82796,37 @@ discovery:
       executor:
         name: command_prompt
         command: powershell.exe Get-Service
+    - name: System Service Discovery - Windows Scheduled Tasks (schtasks)
+      auto_generated_guid: 7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a
+      description: 'Enumerates scheduled tasks on Windows using schtasks.exe.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        command: schtasks /query /fo LIST /v
+    - name: System Service Discovery - Services Registry Enumeration
+      auto_generated_guid: d70d82bd-bb00-4837-b146-b40d025551b2
+      description: |
+        Enumerates Windows services by reading the Services registry key
+        (HKLM\SYSTEM\CurrentControlSet\Services) instead of using Service Control
+        Manager APIs or CLI tools such as sc.exe or Get-Service.
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        command: |
+          Get-ChildItem -Path 'HKLM:\SYSTEM\CurrentControlSet\Services' |
+            ForEach-Object {
+              $p = Get-ItemProperty -Path $_.PSPath -ErrorAction SilentlyContinue
+              [PSCustomObject]@{
+                Name        = $_.PSChildName
+                DisplayName = $p.DisplayName
+                ImagePath   = $p.ImagePath
+                StartType   = $p.Start
+              }
+            }
   T1040:
     technique:
       type: attack-pattern

atomics/T1007/T1007.md

@@ -18,6 +18,14 @@ Adversaries may use the information from [System Service Discovery](https://atta
 
 - [Atomic Test #4 - Get-Service Execution](#atomic-test-4---get-service-execution)
 
+- [Atomic Test #5 - System Service Discovery - macOS launchctl](#atomic-test-5---system-service-discovery---macos-launchctl)
+
+- [Atomic Test #6 - System Service Discovery - Windows Scheduled Tasks (schtasks)](#atomic-test-6---system-service-discovery---windows-scheduled-tasks-schtasks)
+
+- [Atomic Test #7 - System Service Discovery - Services Registry Enumeration](#atomic-test-7---system-service-discovery---services-registry-enumeration)
+
+- [Atomic Test #8 - System Service Discovery - Linux init scripts](#atomic-test-8---system-service-discovery---linux-init-scripts)
+
 
 <br/>
 
@@ -40,7 +48,7 @@ Upon successful execution, cmd.exe will execute service commands with expected r
 
 
 ```cmd
-tasklist.exe
+tasklist.exe /svc
 sc query
 sc query state= all
 ```
@@ -145,4 +153,133 @@ powershell.exe Get-Service
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #5 - System Service Discovery - macOS launchctl
+Enumerates services on macOS using launchctl. Used by adversaries for
+identifying daemons, background services, and persistence mechanisms.
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 9b378962-a75e-4856-b117-2503d6dcebba
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+launchctl list
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - System Service Discovery - Windows Scheduled Tasks (schtasks)
+Enumerates scheduled tasks on Windows using schtasks.exe.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+schtasks /query /fo LIST /v
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - System Service Discovery - Services Registry Enumeration
+Enumerates Windows services by reading the Services registry key
+(HKLM\SYSTEM\CurrentControlSet\Services) instead of using Service Control
+Manager APIs or CLI tools such as sc.exe or Get-Service.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d70d82bd-bb00-4837-b146-b40d025551b2
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Get-ChildItem -Path 'HKLM:\SYSTEM\CurrentControlSet\Services' |
+  ForEach-Object {
+    $p = Get-ItemProperty -Path $_.PSPath -ErrorAction SilentlyContinue
+    [PSCustomObject]@{
+      Name        = $_.PSChildName
+      DisplayName = $p.DisplayName
+      ImagePath   = $p.ImagePath
+      StartType   = $p.Start
+    }
+  }
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #8 - System Service Discovery - Linux init scripts
+Enumerates system services by listing SysV init scripts and runlevel
+symlinks under /etc/init.d and /etc/rc*.d.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 8f2a5d2b-4018-46d4-8f3f-0fea53754690
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+echo "[*] Listing SysV init scripts (/etc/init.d):"
+if [ -d /etc/init.d ]; then ls -l /etc/init.d; else echo "/etc/init.d not present on this system"; fi
+echo
+echo "[*] Listing runlevel directories (/etc/rc*.d):"
+ls -ld /etc/rc*.d 2>/dev/null || echo "No /etc/rc*.d directories found"
+```
+
+
+
+
+
+
 <br/>

atomics/T1007/T1007.yaml

@@ -54,6 +54,7 @@ atomic_tests:
     name: command_prompt
     command: powershell.exe Get-Service
 - name: System Service Discovery - macOS launchctl
+  auto_generated_guid: 9b378962-a75e-4856-b117-2503d6dcebba
   description: |
     Enumerates services on macOS using launchctl. Used by adversaries for
     identifying daemons, background services, and persistence mechanisms.
@@ -63,6 +64,7 @@ atomic_tests:
     name: sh
     command: launchctl list
 - name: System Service Discovery - Windows Scheduled Tasks (schtasks)
+  auto_generated_guid: 7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a
   description: |
     Enumerates scheduled tasks on Windows using schtasks.exe.
   supported_platforms:
@@ -72,6 +74,7 @@ atomic_tests:
     command: schtasks /query /fo LIST /v
 
 - name: System Service Discovery - Services Registry Enumeration
+  auto_generated_guid: d70d82bd-bb00-4837-b146-b40d025551b2
   description: |
     Enumerates Windows services by reading the Services registry key
     (HKLM\SYSTEM\CurrentControlSet\Services) instead of using Service Control
@@ -93,6 +96,7 @@ atomic_tests:
         }
 
 - name: System Service Discovery - Linux init scripts
+  auto_generated_guid: 8f2a5d2b-4018-46d4-8f3f-0fea53754690
   description: |
     Enumerates system services by listing SysV init scripts and runlevel
     symlinks under /etc/init.d and /etc/rc*.d.

atomics/used_guids.txt

@@ -1776,3 +1776,7 @@ a9604672-cd46-493b-b58f-fd4124c22dd3
 b52c8233-8f71-4bd7-9928-49fec8215cf5
 bcf05343-ef1d-4052-8a27-b00c9be42b9f
 997bb0a6-421e-40c7-b5d2-0f493904ef9b
+9b378962-a75e-4856-b117-2503d6dcebba
+7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a
+d70d82bd-bb00-4837-b146-b40d025551b2
+8f2a5d2b-4018-46d4-8f3f-0fea53754690