Atomic Red Team GUID generator
48 lines
1.5 KiB
YAML
48 lines
1.5 KiB
YAML
attack_technique: T1007
|
|
display_name: System Service Discovery
|
|
atomic_tests:
|
|
- name: System Service Discovery
|
|
auto_generated_guid: 89676ba1-b1f8-47ee-b940-2e1a113ebc71
|
|
description: |
|
|
Identify system services.
|
|
|
|
Upon successful execution, cmd.exe will execute service commands with expected result to stdout.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
tasklist.exe
|
|
sc query
|
|
sc query state= all
|
|
name: command_prompt
|
|
elevation_required: true
|
|
- name: System Service Discovery - net.exe
|
|
auto_generated_guid: 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3
|
|
description: |
|
|
Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.
|
|
|
|
Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in c:\Windows\Temp\service-list.txt.s
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
output_file:
|
|
description: Path of file to hold net.exe output
|
|
type: Path
|
|
default: C:\Windows\Temp\service-list.txt
|
|
executor:
|
|
command: |
|
|
net.exe start >> #{output_file}
|
|
cleanup_command: |
|
|
del /f /q /s #{output_file} >nul 2>&1
|
|
name: command_prompt
|
|
- name: System Service Discovery - systemctl
|
|
auto_generated_guid: f4b26bce-4c2c-46c0-bcc5-fce062d38bef
|
|
description: |
|
|
Enumerates system service using systemctl
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
command: |
|
|
systemctl --type=service
|
|
name: bash
|