MITRE

MITRE Technique [T1007] System Service Discovery

MITRE

[T1007 ] System Service Discovery – Adversaries enumerate installed and running services to map system capabilities and identify high-value targets or persistence opportunities. Detecting these queries quickly helps defenders link reconnaissance to follow-on actions like lateral movement or privilege escalation. #SystemServiceDiscovery #T1007

Keypoints

  • Adversaries query local services to find running daemons and service binaries for exploitation or persistence.
  • Common commands include sc query, tasklist /svc, systemctl –type=service, and net start.
  • Service discovery can be scripted or performed via API calls through WMI, PowerShell, or remote admin tools.
  • Monitor process creation, command-line arguments, and API calls to detect service enumeration behavior.
  • Correlate service discovery events with lateral movement and privilege escalation attempts for context.

Description:

  • Like a thief checking which doors and alarms are active before breaking in, attackers list system services to see which protections are running and which components are vulnerable.
  • Adversaries query the OS for registered and running services using utilities and APIs; this reveals potential persistence points, privileged processes, and software versions that guide later exploitation or movement.

Detection:

  • Log and alert on command lines invoking service enumeration tools (e.g., sc query, tasklist /svc, net start, systemctl –type=service). Use command-line monitoring on endpoints and servers.
  • Monitor PowerShell and WMI activity for service-related queries. Enable PowerShell module logging, script block logging, and WMI event subscription logging to capture scripted discovery.
  • Instrument process creation events (ETW, Sysmon) to capture parent-child relationships and command arguments for tools that enumerate services.
  • Collect and analyze Windows API calls related to service control (e.g., OpenService, EnumServicesStatus) using EDR or kernel tracing to detect API-level enumeration by remote tools.
  • Watch for anomalous patterns: frequent service queries across multiple hosts, service queries from uncommon accounts, or service enumeration immediately preceding credential theft or lateral movement.
  • Be aware of false positives from legitimate admin activity. Reduce noise by baselining normal admin tooling, restricting local admin use, and whitelisting known maintenance jobs.
  • Hunt using combined signals: correlate service enumeration events with network connections, new scheduled tasks, suspicious file writes to service folders, or service creation events to validate malicious chains.

Tactics:
Discovery

Platforms:
Linux, Windows, macOS

Data Sources:
Command: Command Execution, Process: OS API Execution, Process: Process Creation

Relationship Citations:
(Citation: Microsoft Tasklist),(Citation: Mandiant APT1),(Citation: Cobalt Strike Manual 4.3 November 2020),(Citation: ESET GreyEnergy Oct 2018),(Citation: Palo Alto Comnie),(Citation: Kaspersky Poseidon Group),(Citation: NCC Group Chimera January 2021),(Citation: Kaspersky Turla),(Citation: Cylance Dust Storm),(Citation: Lunghi Iron Tiger Linux),(Citation: F-Secure The Dukes),(Citation: FireEye admin@338),(Citation: Carbon Black HotCroissant April 2020),(Citation: Lotus Blossom Jun 2015),(Citation: Kaspersky Lab SynAck May 2018),(Citation: Symantec Orangeworm April 2018),(Citation: Palo Alto OilRig May 2016),(Citation: AlienVault Sykipot 2011),(Citation: US-CERT Volgmer Nov 2017),(Citation: FireEye SUNBURST Backdoor December 2020),(Citation: GitHub PoshC2),(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024),(Citation: Trend Micro IXESHE 2012),(Citation: Microsoft PLATINUM April 2016),(Citation: RATANKBA),(Citation: SecureList SynAck Doppelg,οΏ½nging May 2018),(Citation: Symantec WastedLocker June 2020),(Citation: FireEye APT37 Feb 2018),(Citation: ClearSky Lebanese Cedar Jan 2021),(Citation: Proofpoint LookBack Malware Aug 2019),(Citation: CrowdStrike AQUATIC PANDA December 2021),(Citation: Bitdefender Sardonic Aug 2021),(Citation: Emissary Trojan Feb 2016),(Citation: Trend Micro Tick November 2019),(Citation: Talos Kimsuky Nov 2021),(Citation: Crowdstrike Indrik November 2018),(Citation: Unit42 Emissary Panda May 2019),(Citation: TrendMicro Ursnif Mar 2015),(Citation: ESET InvisiMole June 2018),(Citation: Talos ZxShell Oct 2014),(Citation: Symantec Trojan.Hydraq Jan 2010),(Citation: TrendMicro EarthLusca 2022),(Citation: Cisco Talos Intelligence Group),(Citation: Symantec Hydraq Jan 2010),(Citation: Talos GravityRAT),(Citation: Intel 471 REvil March 2020),(Citation: Cybereason OperationCuckooBees May 2022),(Citation: CISA MAR SLOTHFULMEDIA October 2020),(Citation: McAfee Babuk February 2021),(Citation: GitHub SILENTTRINITY Modules July 2019),(Citation: FoxIT Wocao December 2019),(Citation: Mandiant Operation Ke3chang November 2014),(Citation: Malwarebytes Dyreza November 2015),(Citation: BlackBerry CostaRicto November 2020),(Citation: Secureworks DarkTortilla Aug 2022),(Citation: Savill 1999),(Citation: Palo Alto Networks BBSRAT),(Citation: McAfee Cuba April 2021),(Citation: SentinelOne Aoqin Dragon June 2022),(Citation: Bitdefender Naikon April 2021),(Citation: S2 Grupo TrickBot June 2017),(Citation: Kaspersky Adwind Feb 2016),(Citation: Cyble Black Basta May 2022),

Read More: https://attack.mitre.org/techniques/T1007

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint