Atomic Red Team doc generator
56 lines
1.9 KiB
YAML
56 lines
1.9 KiB
YAML
attack_technique: T1007
|
|
display_name: System Service Discovery
|
|
atomic_tests:
|
|
- name: System Service Discovery
|
|
auto_generated_guid: 89676ba1-b1f8-47ee-b940-2e1a113ebc71
|
|
description: |
|
|
Identify system services.
|
|
|
|
Upon successful execution, cmd.exe will execute service commands with expected result to stdout.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
tasklist.exe
|
|
sc query
|
|
sc query state= all
|
|
name: command_prompt
|
|
elevation_required: true
|
|
- name: System Service Discovery - net.exe
|
|
auto_generated_guid: 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3
|
|
description: |
|
|
Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.
|
|
|
|
Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in in the temp directory called service-list.txt.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
output_file:
|
|
description: Path of file to hold net.exe output
|
|
type: path
|
|
default: '%temp%\service-list.txt'
|
|
executor:
|
|
command: |
|
|
net.exe start >> #{output_file}
|
|
cleanup_command: |
|
|
del /f /q /s #{output_file} >nul 2>&1
|
|
name: command_prompt
|
|
- name: System Service Discovery - systemctl/service
|
|
auto_generated_guid: f4b26bce-4c2c-46c0-bcc5-fce062d38bef
|
|
description: |
|
|
Enumerates system service using systemctl/service
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
command: |
|
|
if [ "$(uname)" = 'FreeBSD' ]; then service -e; else systemctl --type=service; fi;
|
|
name: bash
|
|
- name: Get-Service Execution
|
|
auto_generated_guid: 51f17016-d8fa-4360-888a-df4bf92c4a04
|
|
description: Executes the Get-Service cmdlet to gather objects representing all services on the local system.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
name: command_prompt
|
|
command: powershell.exe Get-Service
|