Applied Cybernetics Group
T1007 — System Service Discovery
- Technique
T1007- Tactics
- Discovery
- MISP citations
- 0
- KEV CVEs mapped
- 1
- Community rules
- 11
- thrunt rules
- 0
- Upstream
- https://attack.mitre.org/techniques/T1007
MITRE description
Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>. Adversaries may also gather information about schedule tasks via commands such as `schtasks` on Windows or `crontab -l` on Linux and macOS.(Citation: Elastic Security Labs GOSAR 2024)(Citation: SentinelLabs macOS Malware 2021)(Citation: Splunk Linux Gormir 2024)(Citation: Aquasec Kinsing 2020) Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
KEV CVEs mapped to this technique
Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.
Detection coverage
SigmaHQ community rules
- Potential Registry Reconnaissance Via PowerShell Script (threat-hunting)
- Net.EXE Execution (threat-hunting)
- SC.EXE Query Execution (threat-hunting)
- Crontab Enumeration (core)
- ESXi Network Configuration Discovery Via ESXCLI (core)
- ESXi Storage Information Discovery Via ESXCLI (core)
- ESXi System Information Discovery Via ESXCLI (core)
- ESXi VM List Discovery Via ESXCLI (core)
- ESXi VSAN Information Discovery Via ESXCLI (core)
- HackTool - PCHunter Execution (core)
- Potential Configuration And Service Reconnaissance Via Reg.EXE (core)