security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
use-basic-parsing
atomic-red-team/atomics/T1007/T1007.yaml
T
Atomic Red Team doc generator 0de6af53a1 Generated docs from job=generate-docs branch=master [ci skip]
2025-11-29 04:49:25 +00:00

113 lines
4.0 KiB
YAML
Raw Permalink Blame History

attack_technique: T1007
display_name: System Service Discovery
atomic_tests:
- name: System Service Discovery
auto_generated_guid: 89676ba1-b1f8-47ee-b940-2e1a113ebc71
description: |
Identify system services.
Upon successful execution, cmd.exe will execute service commands with expected result to stdout.
supported_platforms:
- windows
executor:
command: |
tasklist.exe /svc
sc query
sc query state= all
name: command_prompt
elevation_required: true
- name: System Service Discovery - net.exe
auto_generated_guid: 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3
description: |
Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.
Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in in the temp directory called service-list.txt.
supported_platforms:
- windows
input_arguments:
output_file:
description: Path of file to hold net.exe output
type: path
default: '%temp%\service-list.txt'
executor:
command: |
net.exe start >> #{output_file}
cleanup_command: |
del /f /q /s #{output_file} >nul 2>&1
name: command_prompt
- name: System Service Discovery - systemctl/service
auto_generated_guid: f4b26bce-4c2c-46c0-bcc5-fce062d38bef
description: |
Enumerates system service using systemctl/service
supported_platforms:
- linux
executor:
command: |
if [ "$(uname)" = 'FreeBSD' ]; then service -e; else systemctl --type=service; fi;
name: bash
- name: Get-Service Execution
auto_generated_guid: 51f17016-d8fa-4360-888a-df4bf92c4a04
description: Executes the Get-Service cmdlet to gather objects representing all services on the local system.
supported_platforms:
- windows
executor:
name: command_prompt
command: powershell.exe Get-Service
- name: System Service Discovery - macOS launchctl
auto_generated_guid: 9b378962-a75e-4856-b117-2503d6dcebba
description: |
Enumerates services on macOS using launchctl. Used by adversaries for
identifying daemons, background services, and persistence mechanisms.
supported_platforms:
- macos
executor:
name: sh
command: launchctl list
- name: System Service Discovery - Windows Scheduled Tasks (schtasks)
auto_generated_guid: 7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a
description: |
Enumerates scheduled tasks on Windows using schtasks.exe.
supported_platforms:
- windows
executor:
name: command_prompt
command: schtasks /query /fo LIST /v
- name: System Service Discovery - Services Registry Enumeration
auto_generated_guid: d70d82bd-bb00-4837-b146-b40d025551b2
description: |
Enumerates Windows services by reading the Services registry key
(HKLM\SYSTEM\CurrentControlSet\Services) instead of using Service Control
Manager APIs or CLI tools such as sc.exe or Get-Service.
supported_platforms:
- windows
executor:
name: powershell
command: |
Get-ChildItem -Path 'HKLM:\SYSTEM\CurrentControlSet\Services' |
ForEach-Object {
$p = Get-ItemProperty -Path $_.PSPath -ErrorAction SilentlyContinue
[PSCustomObject]@{
Name = $_.PSChildName
DisplayName = $p.DisplayName
ImagePath = $p.ImagePath
StartType = $p.Start
}
}
- name: System Service Discovery - Linux init scripts
auto_generated_guid: 8f2a5d2b-4018-46d4-8f3f-0fea53754690
description: |
Enumerates system services by listing SysV init scripts and runlevel
symlinks under /etc/init.d and /etc/rc*.d.
supported_platforms:
- linux
executor:
name: sh
command: |
echo "[*] Listing SysV init scripts (/etc/init.d):"
if [ -d /etc/init.d ]; then ls -l /etc/init.d; else echo "/etc/init.d not present on this system"; fi
echo
echo "[*] Listing runlevel directories (/etc/rc*.d):"
ls -ld /etc/rc*.d 2>/dev/null || echo "No /etc/rc*.d directories found"
Reference in New Issue View Git Blame Copy Permalink