System Service Discovery

Information

• Name: System Service Discovery

• ID: T1007

• Tactics: TA0007

Introduction

System Service Discovery (MITRE ATT&CK ID: T1007) is a tactic categorized under Discovery in the MITRE ATT&CK framework. Attackers employ this technique to enumerate system services running on a target host or network to identify potential vulnerabilities, gather information about the system's configuration, and determine possible attack vectors. By understanding the services running on a system, adversaries can tailor their attacks, exploit vulnerabilities in specific services, or perform lateral movement within the targeted environment.

Deep Dive Into Technique

System Service Discovery involves enumerating and identifying various services running on a system, including their status (active, inactive, stopped), startup configurations, service dependencies, and associated executable files. Attackers typically use built-in system utilities or custom scripts to perform service enumeration.

Common methods and tools attackers use include:

• Windows-based methods:

  • Built-in utilities such as sc query, net start, tasklist, and PowerShell cmdlets (Get-Service, Get-WmiObject Win32_Service) to enumerate running services.

  • Registry queries (reg query) to obtain service configuration details from locations such as HKLM\SYSTEM\CurrentControlSet\Services.

  • Custom scripts or malware that leverage Windows API calls to discover services silently.

• Linux-based methods:

  • Commands such as systemctl list-units, service --status-all, ps aux, and chkconfig to enumerate running and configured services.

  • Reading from directories such as /etc/init.d/, /etc/systemd/system/, and /lib/systemd/system/ to identify service configurations.

  • Leveraging scripting languages (e.g., Bash, Python) to automate enumeration.

• Network-level service discovery:

  • Tools such as Nmap, masscan, and Metasploit modules to remotely identify services running on target hosts across a network.

  • Banner grabbing and fingerprinting techniques to identify service versions and potential vulnerabilities.

Attackers often automate these discovery processes, integrating them into reconnaissance phases of their campaigns to rapidly identify vulnerable services and potential entry points.

When this Technique is Usually Used

System Service Discovery can occur at various stages within the cyber kill chain and different attack scenarios, including:

• Initial Reconnaissance:

  • Attackers enumerate services externally to identify publicly exposed services and vulnerabilities before initial exploitation.

• Initial Access and Execution:

  • Post-compromise, attackers enumerate services to understand the environment, identify security tools, and select appropriate methods for privilege escalation or persistence.

• Privilege Escalation and Lateral Movement:

  • Service enumeration helps attackers identify vulnerable services or misconfigurations that can be leveraged to escalate privileges or move laterally within the network.

• Persistence and Defense Evasion:

  • Identifying services allows attackers to determine suitable services for persistence mechanisms or to disable/modify security-related services to avoid detection.

• Impact and Data Exfiltration:

  • Enumerating services helps attackers identify critical services and data repositories to target for disruption, sabotage, or data theft.

How this Technique is Usually Detected

Detection of System Service Discovery relies on monitoring system activities, command execution patterns, and network traffic. Common detection methods and indicators include:

• Endpoint Monitoring:

  • Monitoring command-line invocation of built-in utilities (sc, net start, tasklist, systemctl, service) through endpoint detection and response (EDR) tools.

  • Detecting unusual or unauthorized PowerShell scripts or WMI queries (Win32_Service) enumerating services.

• Process Monitoring and Logging:

  • Identifying unusual processes or scripts that enumerate services repeatedly or at unusual intervals.

  • Monitoring for unusual parent-child process relationships, for example, cmd.exe spawning multiple enumeration commands.

• Network Traffic Analysis:

  • Detecting scanning activities using network monitoring tools (IDS/IPS) such as Snort, Suricata, or Zeek (Bro).

  • Identifying abnormal network scans or banner grabbing attempts using tools like Nmap or masscan.

• Behavioral Analysis and SIEM Correlation:

  • Correlating logs from multiple sources (endpoint logs, network logs, authentication logs) to detect anomalous enumeration patterns.

  • Creating detection rules in SIEM platforms (Splunk, Elasticsearch, QRadar) to trigger alerts based on enumeration command execution or repeated enumeration attempts.

• Indicators of Compromise (IoCs):

  • Frequent and unusual execution of enumeration commands (sc query, net start, systemctl, service --status-all).

  • Presence of scripts or binaries specifically designed for enumeration purposes.

  • Unusual or unauthorized access attempts to sensitive registry keys or service configuration files.

Why it is Important to Detect This Technique

Early detection of System Service Discovery is critical for preventing attackers from progressing through the cyber kill chain. Key reasons for its importance include:

• Preventing Further Exploitation:

  • Identifying enumeration activities early can prevent attackers from discovering vulnerabilities and exploiting them to escalate privileges or move laterally.

• Reducing the Attack Surface:

  • Detecting enumeration can alert defenders to potential misconfigurations or unnecessary services, allowing proactive remediation and hardening of systems.

• Minimizing Impact:

  • Early detection enables faster response, limiting attackers' ability to establish persistence, disable security controls, or disrupt critical business operations.

• Improving Incident Response Capabilities:

  • Visibility into enumeration attempts provides incident responders with valuable context about attacker objectives and targeted systems, improving the effectiveness of response actions.

• Protecting Sensitive Data and Critical Infrastructure:

  • Timely detection prevents attackers from identifying critical services or data repositories, reducing the risk of data breaches, sabotage, or ransomware attacks.

Examples

Real-world examples of System Service Discovery include:

• APT29 (Cozy Bear):

  • Utilized built-in Windows commands (sc query, tasklist) and PowerShell scripts to enumerate running services and processes on compromised hosts during reconnaissance phases.

  • This enumeration allowed APT29 to understand the security posture and identify targets for lateral movement within victim networks.

• FIN7:

  • Leveraged PowerShell scripts and native Windows utilities (net start, WMI queries) to enumerate services and identify security software running on compromised point-of-sale (POS) systems.

  • Enumeration allowed FIN7 to disable or evade security controls, facilitating data theft and persistence.

• TrickBot Malware:

  • TrickBot employed built-in Windows commands (sc query, registry queries) to enumerate antivirus and endpoint protection services.

  • Enumeration results allowed TrickBot to disable or evade security software, facilitating subsequent payload delivery and lateral movement.

• Ryuk Ransomware:

  • Attackers behind Ryuk ransomware utilized scripts and built-in utilities (net start, tasklist) to identify critical services and backup solutions.

  • Service enumeration enabled Ryuk attackers to target backup services specifically, increasing the effectiveness and impact of ransomware attacks.

• Red Team and Penetration Testing Tools:

  • Tools such as Metasploit, Empire, and Cobalt Strike include modules to automate service enumeration processes during penetration tests and red team engagements.

  • Enumeration modules help testers identify vulnerable services, misconfigurations, and potential attack paths, demonstrating the importance of detecting such activities during defensive assessments.