T1007 · discovery · 14 actors · 1 correlated reports

System Service Discovery

Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as sc query, tasklist /svc, systemctl --type=service, and net start. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Open detection, hunting, mitigation, and evidence workspace

Detection logic

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system information related to services. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Observed actors

Indrik Spider
G0119 Kimsuky
G0094 admin@338
G0018 Volt Typhoon
G1017 TeamTNT
G0139 OilRig
G0049 Aquatic Panda
G0143 Ke3chang
G0004 APT1
G0006 Turla
G0010 Poseidon Group
G0033 Chimera
G0114 BRONZE BUTLER
G0060 Earth Lusca
G1006

Correlated CTI and IR reports

Executive Summary
Israel Threat Actors CTI · explicit report mention

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research