CircleCI Atomic Red Team doc generator
1.8 KiB
T1007 - System Service Discovery
Description from ATT&CK
Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist, and "net start" using Net, but adversaries may also use other tools as well.Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system information related to services. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Platforms: Windows
Data Sources: Process command-line parameters, Process monitoring
Permissions Required: User, Administrator, SYSTEM
Atomic Tests
Atomic Test #1 - System Service Discovery
Identify system services
Supported Platforms: Windows
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| service_name | Name of service to start stop, query | string | svchost.exe |
Run it with command_prompt!
tasklist.exe
sc query
sc query state= all
sc start #{service_name}
sc stop #{service_name}
wmic service where (displayname like "#{service_name}") get name