Tony M Lambert
43 lines
1.0 KiB
YAML
43 lines
1.0 KiB
YAML
---
|
|
attack_technique: T1007
|
|
display_name: System Service Discovery
|
|
|
|
atomic_tests:
|
|
- name: System Service Discovery
|
|
description: |
|
|
Identify system services
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
service_name:
|
|
description: Name of service to start stop, query
|
|
type: string
|
|
default: svchost.exe
|
|
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
tasklist.exe
|
|
sc query
|
|
sc query state= all
|
|
sc start #{service_name}
|
|
sc stop #{service_name}
|
|
wmic service where (displayname like "#{service_name}") get name
|
|
|
|
- name: System Service Discovery - net.exe
|
|
description: |
|
|
Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
output_file:
|
|
description: Path of file to hold net.exe output
|
|
type: Path
|
|
default: C:\Windows\Temp\service-list.txt
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
net.exe start >> #{output_file}
|