attack_technique: T1007 display_name: System Service Discovery atomic_tests: - name: System Service Discovery auto_generated_guid: 89676ba1-b1f8-47ee-b940-2e1a113ebc71 description: | Identify system services. Upon successful execution, cmd.exe will execute service commands with expected result to stdout. supported_platforms: - windows executor: command: | tasklist.exe /svc sc query sc query state= all name: command_prompt elevation_required: true - name: System Service Discovery - net.exe auto_generated_guid: 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3 description: | Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors. Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in in the temp directory called service-list.txt. supported_platforms: - windows input_arguments: output_file: description: Path of file to hold net.exe output type: path default: '%temp%\service-list.txt' executor: command: | net.exe start >> #{output_file} cleanup_command: | del /f /q /s #{output_file} >nul 2>&1 name: command_prompt - name: System Service Discovery - systemctl/service auto_generated_guid: f4b26bce-4c2c-46c0-bcc5-fce062d38bef description: | Enumerates system service using systemctl/service supported_platforms: - linux executor: command: | if [ "$(uname)" = 'FreeBSD' ]; then service -e; else systemctl --type=service; fi; name: bash - name: Get-Service Execution auto_generated_guid: 51f17016-d8fa-4360-888a-df4bf92c4a04 description: Executes the Get-Service cmdlet to gather objects representing all services on the local system. supported_platforms: - windows executor: name: command_prompt command: powershell.exe Get-Service - name: System Service Discovery - macOS launchctl auto_generated_guid: 9b378962-a75e-4856-b117-2503d6dcebba description: | Enumerates services on macOS using launchctl. Used by adversaries for identifying daemons, background services, and persistence mechanisms. supported_platforms: - macos executor: name: sh command: launchctl list - name: System Service Discovery - Windows Scheduled Tasks (schtasks) auto_generated_guid: 7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a description: | Enumerates scheduled tasks on Windows using schtasks.exe. supported_platforms: - windows executor: name: command_prompt command: schtasks /query /fo LIST /v - name: System Service Discovery - Services Registry Enumeration auto_generated_guid: d70d82bd-bb00-4837-b146-b40d025551b2 description: | Enumerates Windows services by reading the Services registry key (HKLM\SYSTEM\CurrentControlSet\Services) instead of using Service Control Manager APIs or CLI tools such as sc.exe or Get-Service. supported_platforms: - windows executor: name: powershell command: | Get-ChildItem -Path 'HKLM:\SYSTEM\CurrentControlSet\Services' | ForEach-Object { $p = Get-ItemProperty -Path $_.PSPath -ErrorAction SilentlyContinue [PSCustomObject]@{ Name = $_.PSChildName DisplayName = $p.DisplayName ImagePath = $p.ImagePath StartType = $p.Start } } - name: System Service Discovery - Linux init scripts auto_generated_guid: 8f2a5d2b-4018-46d4-8f3f-0fea53754690 description: | Enumerates system services by listing SysV init scripts and runlevel symlinks under /etc/init.d and /etc/rc*.d. supported_platforms: - linux executor: name: sh command: | echo "[*] Listing SysV init scripts (/etc/init.d):" if [ -d /etc/init.d ]; then ls -l /etc/init.d; else echo "/etc/init.d not present on this system"; fi echo echo "[*] Listing runlevel directories (/etc/rc*.d):" ls -ld /etc/rc*.d 2>/dev/null || echo "No /etc/rc*.d directories found"