security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1007/T1007.md
T
CircleCI Atomic Red Team doc generator 91e86258e6 Generate docs from job=validate_atomics_generate_docs branch=master
2019-10-24 17:09:43 +00:00

59 lines
2.0 KiB
Markdown
Raw Blame History

# T1007 - System Service Discovery
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1007)
<blockquote>Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using [Tasklist](https://attack.mitre.org/software/S0057), and "net start" using [Net](https://attack.mitre.org/software/S0039), but adversaries may also use other tools as well. Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.</blockquote>
## Atomic Tests
- [Atomic Test #1 - System Service Discovery](#atomic-test-1---system-service-discovery)
- [Atomic Test #2 - System Service Discovery - net.exe](#atomic-test-2---system-service-discovery---netexe)
<br/>
## Atomic Test #1 - System Service Discovery
Identify system services
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| service_name | Name of service to start stop, query | string | svchost.exe|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
```
tasklist.exe
sc query
sc query state= all
sc start #{service_name}
sc stop #{service_name}
wmic service where (displayname like "#{service_name}") get name
```
<br/>
<br/>
## Atomic Test #2 - System Service Discovery - net.exe
Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path of file to hold net.exe output | Path | C:\Windows\Temp\service-list.txt|
#### Run it with `command_prompt`!
```
net.exe start >> #{output_file}
```
<br/>
Reference in New Issue View Git Blame Copy Permalink