Find sigma rule

Attack: System Service Discovery

Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as sc query, tasklist /svc, systemctl --type=service, and net start.

Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

MITRE

Tactic

discovery

technique

T1007

Test : System Service Discovery - net.exe

OS

windows

Description:

Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.

Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in in the temp directory called service-list.txt.

Executor

command_prompt

Sigma Rule

proc_creation_win_net_start_service.yml (id: 2a072a96-a086-49fa-bcb5-15cc5a619093)
proc_creation_win_net_execution.yml (id: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test