attack_technique: T1007
display_name: System Service Discovery
atomic_tests:
- name: System Service Discovery
  auto_generated_guid: 89676ba1-b1f8-47ee-b940-2e1a113ebc71
  description: |
    Identify system services.

    Upon successful execution, cmd.exe will execute service commands with expected result to stdout.
  supported_platforms:
  - windows
  executor:
    command: |
      tasklist.exe
      sc query
      sc query state= all
    name: command_prompt
    elevation_required: true
- name: System Service Discovery - net.exe
  auto_generated_guid: 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3
  description: |
    Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.

    Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in in the temp directory called service-list.txt.
  supported_platforms:
  - windows
  input_arguments:
    output_file:
      description: Path of file to hold net.exe output
      type: path
      default: '%temp%\service-list.txt'
  executor:
    command: |
      net.exe start >> #{output_file}
    cleanup_command: |
      del /f /q /s #{output_file} >nul 2>&1
    name: command_prompt
- name: System Service Discovery - systemctl/service
  auto_generated_guid: f4b26bce-4c2c-46c0-bcc5-fce062d38bef
  description: |
    Enumerates system service using systemctl/service
  supported_platforms:
  - linux
  executor:
    command: |
      if [ "$(uname)" = 'FreeBSD' ]; then service -e; else systemctl --type=service; fi;
    name: bash
- name: Get-Service Execution
  auto_generated_guid: 51f17016-d8fa-4360-888a-df4bf92c4a04
  description: Executes the Get-Service cmdlet to gather objects representing all services on the local system.
  supported_platforms:
  - windows
  executor:
    name: command_prompt
    command: powershell.exe Get-Service