# T1007 System Service Discovery

-----------------------------------------------------------------------

## Technique Description

Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>.

Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

## Technique Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system information related to services. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).

-----------------------------------------------------------------------

### Tactics:

  *   Discovery

### Platforms:

  * Windows

  * macOS

  * Linux

### Data Sources:

  * **Process:** Process Creation

  * **Command:** Command Execution

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) has attempted to discover services for third party EDR products.(Citation: CrowdStrike AQUATIC PANDA December 2021)| 
| Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) has used the win32_service WMI class to retrieve a list of services from the system.(Citation: Symantec WastedLocker June 2020) | 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has used the <code>tasklist</code> command to search for one of its backdoors.(Citation: FoxIT Wocao December 2019)| 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used <code>net start</code> and <code>net use</code> for system service discovery.(Citation: NCC Group Chimera January 2021)| 
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used an instrumentor script to gather the names of all services running on a victim's system.(Citation: Talos Kimsuky Nov 2021)| 
| BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used TROJ_GETVERSION to discover system services.(Citation: Trend Micro Tick November 2019)| 
| OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used <code>sc query</code> on a victim to gather information about services.(Citation: Palo Alto OilRig May 2016)| 
| Poseidon Group | After compromising a victim, [Poseidon Group](https://attack.mitre.org/groups/G0033) discovers all running services.(Citation: Kaspersky Poseidon Group)| 
| admin@338 | [admin@338](https://attack.mitre.org/groups/G0018) actors used the following command following exploitation of a machine with [LOWBALL](https://attack.mitre.org/software/S0042) malware to obtain information about services: <code>net start >> %temp%\download</code>(Citation: FireEye admin@338)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) surveys a system upon check-in to discover running services and associated processes using the <code>tasklist /svc</code> command.(Citation: Kaspersky Turla)| 
| APT1 | [APT1](https://attack.mitre.org/groups/G0006) used the commands <code>net start</code> and <code>tasklist</code> to get a listing of the services on the system.(Citation: Mandiant APT1)| 
| Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) performs service discovery using <code>net start</code> commands.(Citation: Mandiant Operation Ke3chang November 2014)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1007)

  * [Capec](https://capec.mitre.org/data/definitions/574.html)

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 28 June 2022

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Turla| 1 | |

#### Turla 
- surveys a system upon check-in to discover running services and associated processes using the tasklist /svc command.

## Detection Blindspots

- Sensor location

## Analytical References
- [SecureList - The Epic Turla Operation](https://securelist.com/the-epic-turla-operation/65545/) <-- Showcases `net` use.


-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- The use of commands to see services are not inherently bad, and these events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.

#### Analytic 1

  * **Information:** Monitor processes and command-line arguments for actions that could be taken to gather system information related to services.

  * **Source:** Sysmon, Winlogbeats

  * **Tool:** Kibana

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Event_ID:1 AND commandline:("*tasklist /svc*" OR "*net start *" OR "*sc query*" OR "*get-service *" OR "*gsv *" OR "*wmic*service*")```




-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- text here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```