Merge pull request #29 from redcanaryco/dev-mh

Updated Formatting + System Service Discovery

Windows/Discovery/System_Service_Discovery.md

@@ -0,0 +1,36 @@
+## System Service Discovery
+
+MITRE ATT&CK Technique: [T1007](https://attack.mitre.org/wiki/Technique/T1007)
+
+## Tasklist.exe
+
+Input:
+
+    tasklist.exe
+
+## sc.exe
+
+Input:
+
+    sc query
+
+Input:
+
+    sc query state= all
+
+Start/Stop a service
+
+    sc start <service name>
+
+Stop:
+
+    sc stop <service name>
+
+
+GUI:
+
+    services.msc
+
+## WMIC.exe
+
+    wmic service where (displayname like "%<whatever>%") get name

Windows/Payloads/Discovery.bat

@@ -8,6 +8,7 @@ net config workstation
 net accounts
 net accounts /domain
 net view
+sc query
 reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
 reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
 reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce