EXPLORE
Sign In
← Back to Explore
T1007

System Service Discovery

Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>. Adversaries may also gather information about schedule tasks via commands such as `schtasks` on Windows or `crontab -l` on Linux and macOS.(Citation: Elastic Security Labs GOSAR 2024)(Citation: Senti...

LinuxmacOSWindows
11
Detections
3
Sources
14
Threat Actors

BY SOURCE

8sigma2elastic1splunk_escu

PROCEDURES (5)

Process Creation Monitoring7 detections

Auto-extracted: 7 detections for process creation monitoring

Service1 detections

Auto-extracted: 1 detections for service

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Lateral1 detections

Auto-extracted: 1 detections for lateral

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

THREAT ACTORS (14)

admin@338APT1Aquatic PandaBRONZE BUTLERChimeraEarth LuscaIndrik SpiderKe3changKimsukyOilRigPoseidon GroupTeamTNTTurlaVolt Typhoon

DETECTIONS (11)

Crontab Enumeration
sigmalow
Enumeration Command Spawned via WMIPrvSE
elasticlow
ESXi Network Configuration Discovery Via ESXCLI
sigmamedium
ESXi Storage Information Discovery Via ESXCLI
sigmamedium
ESXi System Information Discovery Via ESXCLI
sigmamedium
ESXi VM List Discovery Via ESXCLI
sigmamedium
ESXi VSAN Information Discovery Via ESXCLI
sigmamedium
HackTool - PCHunter Execution
sigmahigh
Potential Configuration And Service Reconnaissance Via Reg.EXE
sigmamedium
PowerShell Suspicious Discovery Related Windows API Functions
elasticlow
Windows Net System Service Discovery
splunk_escu