atomic-red-team/atomics/T1007/T1007.yaml

---
attack_technique: T1007
display_name: System Service Discovery

atomic_tests:
- name: System Service Discovery
  description: |
    Identify system services

  supported_platforms:
    - windows

  executor:
    name: command_prompt
    elevation_required: true
    command: |
      tasklist.exe
      sc query
      sc query state= all

- name: System Service Discovery - net.exe
  description: |
    Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.
  supported_platforms:
    - windows
  input_arguments:
    output_file:
      description: Path of file to hold net.exe output
      type: Path
      default: C:\Windows\Temp\service-list.txt
  executor:
    name: command_prompt
    elevation_required: false
    command: |
      net.exe start >> #{output_file}