CircleCI Atomic Red Team doc generator
83 lines
2.2 KiB
Markdown
83 lines
2.2 KiB
Markdown
# T1007 - System Service Discovery
|
|
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1007)
|
|
<blockquote>Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using [Tasklist](https://attack.mitre.org/software/S0057), and "net start" using [Net](https://attack.mitre.org/software/S0039), but adversaries may also use other tools as well. Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.</blockquote>
|
|
|
|
## Atomic Tests
|
|
|
|
- [Atomic Test #1 - System Service Discovery](#atomic-test-1---system-service-discovery)
|
|
|
|
- [Atomic Test #2 - System Service Discovery - net.exe](#atomic-test-2---system-service-discovery---netexe)
|
|
|
|
|
|
<br/>
|
|
|
|
## Atomic Test #1 - System Service Discovery
|
|
Identify system services.
|
|
|
|
Upon successful execution, cmd.exe will execute service commands with expected result to stdout.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** 89676ba1-b1f8-47ee-b940-2e1a113ebc71
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
|
|
|
|
|
|
```cmd
|
|
tasklist.exe
|
|
sc query
|
|
sc query state= all
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #2 - System Service Discovery - net.exe
|
|
Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.
|
|
|
|
Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in c:\Windows\Temp\service-list.txt.s
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3
|
|
|
|
|
|
|
|
|
|
|
|
#### Inputs:
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| output_file | Path of file to hold net.exe output | Path | C:\Windows\Temp\service-list.txt|
|
|
|
|
|
|
#### Attack Commands: Run with `command_prompt`!
|
|
|
|
|
|
```cmd
|
|
net.exe start >> #{output_file}
|
|
```
|
|
|
|
#### Cleanup Commands:
|
|
```cmd
|
|
del /f /q /s #{output_file} >nul 2>&1
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|