System Service Discovery, Technique T1007 - Enterprise (original) (raw)
admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to obtain information about services: net start >> %temp%\download[5]
APT1 used the commands net start and tasklist to get a listing of the services on the system.[6]
Aquatic Panda has attempted to discover services for third party EDR products.[7]
Babuk can enumerate all services running on a compromised host.[8]
BBSRAT can query service configuration information.[9]
BitPaymer can enumerate existing Windows services on the host that are configured to run as LocalSystem.[10]
Black Basta can check whether the service name FAX is present.[11]
BRONZE BUTLER has used TROJ_GETVERSION to discover system services.[12]
Caterpillar WebShell can obtain a list of the services from a system.[13]
Chimera has used net start and net use for system service discovery.[14]
Cobalt Strike can enumerate services on compromised hosts.[15]
Comnie runs the command: net start >> %TEMP%\info.dat on a victim.[16]
Cuba can query service status using QueryServiceStatusEx function.[17]
DarkTortilla can retrieve information about a compromised system's running services.[18]
Dyre has the ability to identify running services on a compromised host.[19]
Earth Lusca has used Tasklist to obtain information from a compromised host.[20]
Elise executes net start after initial communication is made to the remote server.[21]
Embargo has obtained active services running on the victim’s system through the functions OpenSCManagerW() and EnumServicesStatusExW().[22]
Emissary has the capability to execute the command net start to interact with services.[23]
Epic uses the tasklist /svc command to list the services on the system.[24]
GeminiDuke collects information on programs and services on the victim that are configured to automatically run at startup.[25]
GravityRAT has a feature to list the available services on the system.[26]
GreyEnergy enumerates all Windows services.[27]
Heyoka Backdoor can check if it is running as a service on a compromised host.[28]
HotCroissant has the ability to retrieve a list of services on the infected host.[29]
Hydraq creates a backdoor through which remote attackers can monitor services.[30][31]
HyperBro can list all services and their configurations.[32]
Indrik Spider has used the win32_service WMI class to retrieve a list of services from the system.[33]
InvisiMole can obtain running services on the victim.[34]
Ixeshe can list running services.[35]
JPIN can list running services.[36]
jRAT can list local services.[37]
Ke3chang performs service discovery using net start commands.[38]
Kimsuky has used an instrumentor script to gather the names of all services running on a victim's system.[39]
Kwampirs collects a list of running services with the command tasklist /svc.[40]
LAMEHUG can gather service information on targeted systems.[41][42]
LookBack can enumerate services on the victim machine.[43]
Medusa Ransomware has leveraged an encoded list of services that it designates for termination.[44][45][46]
MirrorFace has used Tasklist for discovery post compromise.[47]
The net start command can be used in Net to find information about Windows services.[48]
OilRig has used sc query on a victim to gather information about services.[49]
During Operation CuckooBees, the threat actors used the net start command as part of their initial reconnaissance.[50]
During Operation Wocao, threat actors used the tasklist command to search for one of its backdoors.[51]
After compromising a victim, Poseidon Group discovers all running services.[52]
PoshC2 can enumerate service and service permission information.[53]
PUBLOAD has leveraged tasklist to gather running services on victim host.[54]
Qilin can identify specific services for termination or to be left running at execution.[55][56][57][58]
RainyDay can create and register a service for execution.[59]
RATANKBA uses tasklist /svc to display running tasks.[60]
REvil can enumerate active services.[61]
S-Type runs the command net start on a victim.[62]
Sardonic has the ability to execute the net start command.[63]
SILENTTRINITY can search for modifiable services that could be used for privilege escalation.[64]
SLOTHFULMEDIA has the capability to enumerate services.[65]
SombRAT can enumerate services on a victim machine.[66]
SUNBURST collected a list of service names that were hashed using a FNV-1a + XOR algorithm to check against similarly-hashed hardcoded blocklists.[67]
Sykipot may use net start to display running services.[68]
SynAck enumerates all running services.[69][70]
SysUpdate can collect a list of services on a victim machine.[71]
Tasklist can be used to discover services running on a system.[72]
TeamTNT has searched for services such as Alibaba Cloud Security's aliyun service and BMC Helix Cloud Security's bmc-agent service in order to disable them.[73]
TrickBot collects a list of install programs and services on the system’s machine.[74]
Turla surveys a system upon check-in to discover running services and associated processes using the tasklist /svc command.[24]
Ursnif has gathered information about running services.[75]
Volgmer queries the system to identify existing services.[76]
Volt Typhoon has used net start to list running services.[77]
WINERACK can enumerate services.[78]
ZLib has the ability to discover and manipulate Windows services.[62]