Atomic Red Team doc generator
286 lines
6.0 KiB
Markdown
286 lines
6.0 KiB
Markdown
# T1007 - System Service Discovery
|
|
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1007)
|
|
<blockquote>
|
|
|
|
Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>. Adversaries may also gather information about schedule tasks via commands such as `schtasks` on Windows or `crontab -l` on Linux and macOS.(Citation: Elastic Security Labs GOSAR 2024)(Citation: SentinelLabs macOS Malware 2021)(Citation: Splunk Linux Gormir 2024)(Citation: Aquasec Kinsing 2020)
|
|
|
|
Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
|
|
|
|
</blockquote>
|
|
|
|
## Atomic Tests
|
|
|
|
- [Atomic Test #1 - System Service Discovery](#atomic-test-1---system-service-discovery)
|
|
|
|
- [Atomic Test #2 - System Service Discovery - net.exe](#atomic-test-2---system-service-discovery---netexe)
|
|
|
|
- [Atomic Test #3 - System Service Discovery - systemctl/service](#atomic-test-3---system-service-discovery---systemctlservice)
|
|
|
|
- [Atomic Test #4 - Get-Service Execution](#atomic-test-4---get-service-execution)
|
|
|
|
- [Atomic Test #5 - System Service Discovery - macOS launchctl](#atomic-test-5---system-service-discovery---macos-launchctl)
|
|
|
|
- [Atomic Test #6 - System Service Discovery - Windows Scheduled Tasks (schtasks)](#atomic-test-6---system-service-discovery---windows-scheduled-tasks-schtasks)
|
|
|
|
- [Atomic Test #7 - System Service Discovery - Services Registry Enumeration](#atomic-test-7---system-service-discovery---services-registry-enumeration)
|
|
|
|
- [Atomic Test #8 - System Service Discovery - Linux init scripts](#atomic-test-8---system-service-discovery---linux-init-scripts)
|
|
|
|
|
|
<br/>
|
|
|
|
## Atomic Test #1 - System Service Discovery
|
|
Identify system services.
|
|
|
|
Upon successful execution, cmd.exe will execute service commands with expected result to stdout.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** 89676ba1-b1f8-47ee-b940-2e1a113ebc71
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
|
|
|
|
|
|
```cmd
|
|
tasklist.exe /svc
|
|
sc query
|
|
sc query state= all
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #2 - System Service Discovery - net.exe
|
|
Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.
|
|
|
|
Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in in the temp directory called service-list.txt.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3
|
|
|
|
|
|
|
|
|
|
|
|
#### Inputs:
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| output_file | Path of file to hold net.exe output | path | %temp%\service-list.txt|
|
|
|
|
|
|
#### Attack Commands: Run with `command_prompt`!
|
|
|
|
|
|
```cmd
|
|
net.exe start >> #{output_file}
|
|
```
|
|
|
|
#### Cleanup Commands:
|
|
```cmd
|
|
del /f /q /s #{output_file} >nul 2>&1
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #3 - System Service Discovery - systemctl/service
|
|
Enumerates system service using systemctl/service
|
|
|
|
**Supported Platforms:** Linux
|
|
|
|
|
|
**auto_generated_guid:** f4b26bce-4c2c-46c0-bcc5-fce062d38bef
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `bash`!
|
|
|
|
|
|
```bash
|
|
if [ "$(uname)" = 'FreeBSD' ]; then service -e; else systemctl --type=service; fi;
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #4 - Get-Service Execution
|
|
Executes the Get-Service cmdlet to gather objects representing all services on the local system.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** 51f17016-d8fa-4360-888a-df4bf92c4a04
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `command_prompt`!
|
|
|
|
|
|
```cmd
|
|
powershell.exe Get-Service
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #5 - System Service Discovery - macOS launchctl
|
|
Enumerates services on macOS using launchctl. Used by adversaries for
|
|
identifying daemons, background services, and persistence mechanisms.
|
|
|
|
**Supported Platforms:** macOS
|
|
|
|
|
|
**auto_generated_guid:** 9b378962-a75e-4856-b117-2503d6dcebba
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `sh`!
|
|
|
|
|
|
```sh
|
|
launchctl list
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #6 - System Service Discovery - Windows Scheduled Tasks (schtasks)
|
|
Enumerates scheduled tasks on Windows using schtasks.exe.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** 7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `command_prompt`!
|
|
|
|
|
|
```cmd
|
|
schtasks /query /fo LIST /v
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #7 - System Service Discovery - Services Registry Enumeration
|
|
Enumerates Windows services by reading the Services registry key
|
|
(HKLM\SYSTEM\CurrentControlSet\Services) instead of using Service Control
|
|
Manager APIs or CLI tools such as sc.exe or Get-Service.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** d70d82bd-bb00-4837-b146-b40d025551b2
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `powershell`!
|
|
|
|
|
|
```powershell
|
|
Get-ChildItem -Path 'HKLM:\SYSTEM\CurrentControlSet\Services' |
|
|
ForEach-Object {
|
|
$p = Get-ItemProperty -Path $_.PSPath -ErrorAction SilentlyContinue
|
|
[PSCustomObject]@{
|
|
Name = $_.PSChildName
|
|
DisplayName = $p.DisplayName
|
|
ImagePath = $p.ImagePath
|
|
StartType = $p.Start
|
|
}
|
|
}
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #8 - System Service Discovery - Linux init scripts
|
|
Enumerates system services by listing SysV init scripts and runlevel
|
|
symlinks under /etc/init.d and /etc/rc*.d.
|
|
|
|
**Supported Platforms:** Linux
|
|
|
|
|
|
**auto_generated_guid:** 8f2a5d2b-4018-46d4-8f3f-0fea53754690
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `sh`!
|
|
|
|
|
|
```sh
|
|
echo "[*] Listing SysV init scripts (/etc/init.d):"
|
|
if [ -d /etc/init.d ]; then ls -l /etc/init.d; else echo "/etc/init.d not present on this system"; fi
|
|
echo
|
|
echo "[*] Listing runlevel directories (/etc/rc*.d):"
|
|
ls -ld /etc/rc*.d 2>/dev/null || echo "No /etc/rc*.d directories found"
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|