Try it using Invoke-Atomic

System Service Discovery

Description from ATT&CK

Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl –type=service</code>, and <code>net start</code>.

Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - System Service Discovery

Identify system services.

Upon successful execution, cmd.exe will execute service commands with expected result to stdout.

Supported Platforms: windows

auto_generated_guid: 89676ba1-b1f8-47ee-b940-2e1a113ebc71

Inputs:

None

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
2
3
4
tasklist.exe
sc query
sc query state= all

Atomic Test #2 - System Service Discovery - net.exe

Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.

Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in c:\Windows\Temp\service-list.txt.s

Supported Platforms: windows

auto_generated_guid: 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3

Inputs:

Name Description Type Default Value
output_file Path of file to hold net.exe output Path C:\Windows\Temp\service-list.txt

Attack Commands: Run with command_prompt!

1
2
net.exe start >> #{output_file}

Cleanup Commands:

1
2
del /f /q /s #{output_file} >nul 2>&1

source