T1007: System Service Discovery

Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as sc query, tasklist /svc, systemctl --type=service, and net start.

Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

unix_mitre_attck_discovery: PT-CR-1683: Unix_System_Service_Discovery: Information about system services on a Unix host was received unix_mitre_attck_discovery: PT-CR-480: Unix_Local_Mass_Recon: A large number of reconnaissance commands were executed. Possible automated reconnaissance. mssql_database: PT-CR-559: MSSQL_Windows_Service_Discovery: An attempt to get information about a Windows service state using a stored procedure mitre_attck_discovery: PT-CR-335: System_Service_Discovery: An attempt to retrieve a list of services is detected sap_suspicious_user_activity: PT-CR-242: SAPASABAP_GW_Check_Registered_Tp: Guessing of registered programs sap_suspicious_user_activity: PT-CR-248: SAPASABAP_GW_Try_Monitor_Command: Run of the SAP Gateway monitor commands

Detection

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for newly executed processes with arguments that may try to get information about registered services. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). For event id 4688, depending on Windows version, you might need to enable Administrative Templates\System\Audit Process Creation\Include command line in process creation events group policy to include command line in process creation events.

Analytic 1 - Suspicious Processes

((source=WinEventLog:"*Security" EventCode="4688") OR (source=WinEventLog:"*Microsoft-Windows-Sysmon/Operational" EventCode="1") | WHERE ((CommandLine LIKE "%sc%" AND CommandLine LIKE "%query%") OR (CommandLine LIKE "%tasklist%" AND CommandLine LIKE "%/svc%") OR (CommandLine LIKE "%systemctl%" AND CommandLine LIKE "%--type=service%") OR (CommandLine LIKE "%net%" AND CommandLine LIKE "%start%"))

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that could be taken to gather system information related to services. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

IDDS0009Data source and componentProcess: OS API ExecutionDescription

Monitor for API calls associated with gathering information about registered local system services, such as QueryServiceStatusEx. Other Windows API calls worth monitoring include EnumServicesStatusExA, which can be used to enumerate services in the service control manager database.

Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary.