Hare Sudhan
7dfdc97d79
* FreeBSD Cleanup * cleanup * fix t1016 * reducing multiline if else to single line * fix t1037.003 * ignore T1003.007 * fix t1003.007 * more fixes
47 lines
1.6 KiB
YAML
47 lines
1.6 KiB
YAML
attack_technique: T1007
|
|
display_name: System Service Discovery
|
|
atomic_tests:
|
|
- name: System Service Discovery
|
|
auto_generated_guid: 89676ba1-b1f8-47ee-b940-2e1a113ebc71
|
|
description: |
|
|
Identify system services.
|
|
|
|
Upon successful execution, cmd.exe will execute service commands with expected result to stdout.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
tasklist.exe
|
|
sc query
|
|
sc query state= all
|
|
name: command_prompt
|
|
elevation_required: true
|
|
- name: System Service Discovery - net.exe
|
|
auto_generated_guid: 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3
|
|
description: |
|
|
Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.
|
|
|
|
Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in in the temp directory called service-list.txt.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
output_file:
|
|
description: Path of file to hold net.exe output
|
|
type: path
|
|
default: '%temp%\service-list.txt'
|
|
executor:
|
|
command: |
|
|
net.exe start >> #{output_file}
|
|
cleanup_command: |
|
|
del /f /q /s #{output_file} >nul 2>&1
|
|
name: command_prompt
|
|
- name: System Service Discovery - systemctl/service
|
|
auto_generated_guid: f4b26bce-4c2c-46c0-bcc5-fce062d38bef
|
|
description: |
|
|
Enumerates system service using systemctl/service
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
command: |
|
|
if [ "$(uname)" = 'FreeBSD' ]; then service -e; else systemctl --type=service; fi;
|
|
name: bash |