atomic-red-team/atomics/T1007/T1007.md

# T1007 - System Service Discovery

## Description from ATT&CK

> Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>. Adversaries may also gather information about schedule tasks via commands such as `schtasks` on Windows or `crontab -l` on Linux and macOS.(Citation: Elastic Security Labs GOSAR 2024)(Citation: SentinelLabs macOS Malware 2021)(Citation: Splunk Linux Gormir 2024)(Citation: Aquasec Kinsing 2020)
> 
> Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

[Source](https://attack.mitre.org/techniques/T1007)

## Atomic Tests

- [Atomic Test #1: System Service Discovery](#atomic-test-1-system-service-discovery)
- [Atomic Test #2: System Service Discovery - net.exe](#atomic-test-2-system-service-discovery---netexe)
- [Atomic Test #3: System Service Discovery - systemctl/service](#atomic-test-3-system-service-discovery---systemctlservice)
- [Atomic Test #4: Get-Service Execution](#atomic-test-4-get-service-execution)
- [Atomic Test #5: System Service Discovery - macOS launchctl](#atomic-test-5-system-service-discovery---macos-launchctl)
- [Atomic Test #6: System Service Discovery - Windows Scheduled Tasks (schtasks)](#atomic-test-6-system-service-discovery---windows-scheduled-tasks-schtasks)
- [Atomic Test #7: System Service Discovery - Services Registry Enumeration](#atomic-test-7-system-service-discovery---services-registry-enumeration)
- [Atomic Test #8: System Service Discovery - Linux init scripts](#atomic-test-8-system-service-discovery---linux-init-scripts)

### Atomic Test #1: System Service Discovery

Identify system services.

Upon successful execution, cmd.exe will execute service commands with expected result to stdout.

**Supported Platforms:** Windows

**auto_generated_guid:** `89676ba1-b1f8-47ee-b940-2e1a113ebc71`

#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

```cmd
tasklist.exe /svc
sc query
sc query state= all
```

### Atomic Test #2: System Service Discovery - net.exe

Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.

Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in in the temp directory called service-list.txt.

**Supported Platforms:** Windows

**auto_generated_guid:** `5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path of file to hold net.exe output | path | %temp%&#92;service-list.txt|

#### Attack Commands: Run with `command_prompt`!

```cmd
net.exe start >> #{output_file}
```

#### Cleanup Commands

```cmd
del /f /q /s #{output_file} >nul 2>&1
```
### Atomic Test #3: System Service Discovery - systemctl/service

Enumerates system service using systemctl/service

**Supported Platforms:** Linux

**auto_generated_guid:** `f4b26bce-4c2c-46c0-bcc5-fce062d38bef`

#### Attack Commands: Run with `bash`!

```bash
if [ "$(uname)" = 'FreeBSD' ]; then service -e; else systemctl --type=service; fi;
```

### Atomic Test #4: Get-Service Execution

Executes the Get-Service cmdlet to gather objects representing all services on the local system.

**Supported Platforms:** Windows

**auto_generated_guid:** `51f17016-d8fa-4360-888a-df4bf92c4a04`

#### Attack Commands: Run with `command_prompt`!

```cmd
powershell.exe Get-Service
```

### Atomic Test #5: System Service Discovery - macOS launchctl

Enumerates services on macOS using launchctl. Used by adversaries for
identifying daemons, background services, and persistence mechanisms.

**Supported Platforms:** macOS

**auto_generated_guid:** `9b378962-a75e-4856-b117-2503d6dcebba`

#### Attack Commands: Run with `sh`!

```sh
launchctl list
```

### Atomic Test #6: System Service Discovery - Windows Scheduled Tasks (schtasks)

Enumerates scheduled tasks on Windows using schtasks.exe.

**Supported Platforms:** Windows

**auto_generated_guid:** `7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a`

#### Attack Commands: Run with `command_prompt`!

```cmd
schtasks /query /fo LIST /v
```

### Atomic Test #7: System Service Discovery - Services Registry Enumeration

Enumerates Windows services by reading the Services registry key
(HKLM\SYSTEM\CurrentControlSet\Services) instead of using Service Control
Manager APIs or CLI tools such as sc.exe or Get-Service.

**Supported Platforms:** Windows

**auto_generated_guid:** `d70d82bd-bb00-4837-b146-b40d025551b2`

#### Attack Commands: Run with `powershell`!

```powershell
Get-ChildItem -Path 'HKLM:\SYSTEM\CurrentControlSet\Services' |
  ForEach-Object {
    $p = Get-ItemProperty -Path $_.PSPath -ErrorAction SilentlyContinue
    [PSCustomObject]@{
      Name        = $_.PSChildName
      DisplayName = $p.DisplayName
      ImagePath   = $p.ImagePath
      StartType   = $p.Start
    }
  }
```

### Atomic Test #8: System Service Discovery - Linux init scripts

Enumerates system services by listing SysV init scripts and runlevel
symlinks under /etc/init.d and /etc/rc*.d.

**Supported Platforms:** Linux

**auto_generated_guid:** `8f2a5d2b-4018-46d4-8f3f-0fea53754690`

#### Attack Commands: Run with `sh`!

```sh
echo "[*] Listing SysV init scripts (/etc/init.d):"
if [ -d /etc/init.d ]; then ls -l /etc/init.d; else echo "/etc/init.d not present on this system"; fi
echo
echo "[*] Listing runlevel directories (/etc/rc*.d):"
ls -ld /etc/rc*.d 2>/dev/null || echo "No /etc/rc*.d directories found"
```