Carrie Roberts
511bb87af2
* first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * lowercase url
1.7 KiB
1.7 KiB
T1007 - System Service Discovery
Description from ATT&CK
Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using [Tasklist](https://attack.mitre.org/software/S0057), and "net start" using [Net](https://attack.mitre.org/software/S0039), but adversaries may also use other tools as well. Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Atomic Tests
Atomic Test #1 - System Service Discovery
Identify system services
Supported Platforms: Windows
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
tasklist.exe
sc query
sc query state= all
Atomic Test #2 - System Service Discovery - net.exe
Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.
Supported Platforms: Windows
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Path of file to hold net.exe output | Path | C:\Windows\Temp\service-list.txt |
Attack Commands: Run with command_prompt!
net.exe start >> #{output_file}