- Tactics
- Discovery
- Platforms
- Linux, macOS, Windows
- Reference
- attack.mitre.org/techniques/T1007
Description
Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as sc query, tasklist /svc, systemctl —type=service, and net start. Adversaries may also gather information about schedule tasks via commands such as schtasks on Windows or crontab -l on Linux and macOS.(Citation: Elastic Security Labs GOSAR 2024)(Citation: SentinelLabs macOS Malware 2021)(Citation: Splunk Linux Gormir 2024)(Citation: Aquasec Kinsing 2020)
Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
How GTK Cyber trains on this
GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the Discovery tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.
Related techniques
- T1010 — Application Window Discovery
- T1012 — Query Registry
- T1016 — System Network Configuration Discovery
- T1018 — Remote System Discovery
- T1033 — System Owner/User Discovery
- T1040 — Network Sniffing
- T1046 — Network Service Discovery
- T1049 — System Network Connections Discovery
- T1057 — Process Discovery
- T1069 — Permission Groups Discovery
- T1082 — System Information Discovery
- T1083 — File and Directory Discovery