T1007: System Service Discovery

View on MITRE ATT&CK	T1007
Tactic(s)	Discovery
Associated CAPEC Patterns	Services Footprinting (CAPEC-574)

Data from MITRE ATT&CK®:

Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as sc query, tasklist /svc, systemctl --type=service, and net start.

Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Cyber Threat Graph Context

Explore how this ATT&CK Technique relates to the wider threat graph

Reporting on this Technique

Report

PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure

Following an initial advisory issued in May 2023, this advisory from CISA, NSA and partners outlines information on the broader campaign of cyber ...

View Source

Report

APT40 Advisory - PRC MSS tradecraft in action

This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...

View Source

Report

APT29 Uses WINELOADER to Target German Political Parties

This blog post by Mandiant describes activity by APT29, linked to Russia's SVR, which targeted German political parties with a new backdoor: ...

View Source

Report

Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks

This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed ...

View Source

How to detect this technique

MITRE ATT&CK Data Components

Process Creation (Process)

The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)

Command Execution (Command)

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )

OS API Execution (Process)

Operating system function/method calls executed by a process

Control Validation Tests for this Technique

Use Atomic Red Team tests to test your defenses against this technique.

System Service Discovery - net.exe

System Service Discovery

System Service Discovery - systemctl/service

Sigma Detections for this Technique

Potential Configuration And Service Reconnaissance Via Reg.EXE

windows process creation

ESXi System Information Discovery Via ESXCLI

linux process creation

ESXi Storage Information Discovery Via ESXCLI

linux process creation

Crontab Enumeration

linux process creation

ESXi Network Configuration Discovery Via ESXCLI

linux process creation

HackTool - PCHunter Execution

windows process creation

ESXi VM List Discovery Via ESXCLI

linux process creation

ESXi VSAN Information Discovery Via ESXCLI

linux process creation