Installed Services Discovery

Information

• Name: Unknown

• ID: T1518.002

• Tactics:

Introduction

Installed Services Discovery (T1518.002) is a sub-technique within the MITRE ATT&CK framework, categorized under Discovery (T1518). This technique involves adversaries enumerating services installed on a targeted system or network to gain insights into the environment. Attackers commonly perform this step to understand the system's configuration, identify potential vulnerabilities, and plan subsequent exploitation strategies. Discovering installed services can reveal critical information such as software versions, configurations, and system roles, allowing attackers to tailor their attacks effectively.

Deep Dive Into Technique

Installed Services Discovery involves adversaries systematically identifying and enumerating services that are actively running or installed on a target system. Attackers typically employ built-in system utilities, scripts, or custom tools to gather detailed information about installed services.

Common execution methods and mechanisms include:

• Windows Systems:

  • Utilizing built-in Windows commands:

    • sc query: Lists running services and their status.

    • sc query state= all: Enumerates all services (running or stopped).

    • net start: Lists currently running services.

    • tasklist /svc: Provides a list of tasks along with associated services.

    • PowerShell commands:

      • Get-Service: Lists all services with detailed status information.

      • Get-WmiObject Win32_Service: Provides comprehensive service details including paths, states, and start modes.

  • Accessing Windows Registry keys:

    • HKLM\SYSTEM\CurrentControlSet\Services: Contains configuration data for services installed on the system.

• Linux and Unix-like Systems:

  • Using standard commands:

    • systemctl list-units --type=service: Lists active systemd services.

    • service --status-all: Enumerates all services and their status.

    • chkconfig --list: Lists services configured to run at various runlevels.

    • initctl list: Lists Upstart-managed services.

    • Checking common service directories:

      • /etc/init.d/

      • /lib/systemd/system/

      • /etc/systemd/system/

• Automated Discovery Tools:

  • Adversaries may leverage specialized enumeration tools or scripts like PowerSploit, BloodHound, or Metasploit modules to automate and streamline the discovery of installed services across multiple systems.

Real-world procedures typically involve initial reconnaissance after gaining initial foothold, followed by automated or manual enumeration to map the environment and identify potential vulnerabilities or misconfigurations.

When this Technique is Usually Used

Installed Services Discovery is frequently employed during the following attack scenarios and stages:

• Initial Reconnaissance and Discovery Stage:

  • After initial access, attackers enumerate installed services to identify potential vulnerabilities or exploitable conditions.

  • Gathering detailed information to understand the target environment and plan further lateral movements.

• Privilege Escalation and Lateral Movement Stage:

  • Identifying vulnerable services that could be exploited to escalate privileges or move laterally within the network.

  • Discovering misconfigured or outdated services that can be leveraged for further exploitation.

• Persistence and Defense Evasion Stage:

  • Identifying services suitable for persistence mechanisms (e.g., modifying legitimate services or creating new malicious services).

  • Evaluating services to determine potential methods for defense evasion, such as blending malicious activities with legitimate service behavior.

How this Technique is Usually Detected

Detection of Installed Services Discovery relies on monitoring and analyzing system activities, command execution, and network behavior. Effective detection methods include:

• Endpoint Detection and Response (EDR) Solutions:

  • Monitoring execution of service enumeration commands (sc, net, tasklist, systemctl, chkconfig).

  • Detecting abnormal or unexpected usage patterns of built-in system utilities.

• Process and Command-Line Monitoring:

  • Logging and analyzing command-line arguments and PowerShell script executions.

  • Detecting suspicious enumeration commands or scripts executed by unusual accounts or at unusual times.

• Registry and File System Monitoring:

  • Monitoring access to critical registry keys (HKLM\SYSTEM\CurrentControlSet\Services) and service configuration files (/etc/init.d/, /lib/systemd/system/).

  • Identifying unauthorized or anomalous access patterns.

• Network Traffic Analysis:

  • Detecting scanning or enumeration activities across network hosts, indicative of automated service discovery.

  • Identifying unusual internal reconnaissance traffic patterns.

Specific Indicators of Compromise (IoCs) include:

• Execution of enumeration commands from unauthorized or unexpected user accounts.

• High frequency or automated execution of service enumeration commands.

• Suspicious scripts or tools detected on endpoints performing systematic enumeration of services.

Why it is Important to Detect This Technique

Detecting Installed Services Discovery is critical for maintaining the security and integrity of systems and networks due to the following potential impacts:

• Early Identification of Reconnaissance Activities:

  • Detecting this technique early can provide an initial warning of adversary presence, allowing defenders to respond proactively before further exploitation occurs.

• Preventing Privilege Escalation and Lateral Movement:

  • Early detection of service enumeration can prevent attackers from identifying vulnerable services, thus mitigating the risk of privilege escalation and lateral movement within the network.

• Reducing Attack Surface Exposure:

  • Identifying unauthorized enumeration activities enables security teams to remediate vulnerabilities, misconfigurations, and outdated services proactively, reducing overall attack surface.

• Maintaining Operational Continuity:

  • Preventing adversaries from gaining detailed knowledge about installed services helps maintain business continuity by avoiding disruptions from targeted exploitation and attacks.

Examples

Real-world examples demonstrating the use of Installed Services Discovery include:

• APT Groups and Nation-State Actors:

  • Advanced persistent threat (APT) groups frequently leverage built-in system commands (sc, net start, tasklist) to enumerate services after initial compromise, as observed in operations attributed to groups such as APT28, APT29, and Lazarus Group.

• Ransomware Attacks:

  • Ransomware operators commonly enumerate services to identify backup solutions, antivirus software, or database services that could interfere with encryption processes. For example, Ryuk ransomware operators have been observed enumerating services to disable security software before deploying ransomware payloads.

• Penetration Testing and Red Teaming Tools:

  • Tools like PowerSploit, Metasploit Framework, and BloodHound include modules specifically designed for service enumeration, widely used in penetration testing engagements to simulate adversarial actions and identify security gaps.

• WannaCry Ransomware Incident:

  • During the WannaCry ransomware outbreak, adversaries conducted service enumeration to identify vulnerable SMB services (specifically SMBv1), which were subsequently exploited for lateral movement and spreading ransomware across networks.

• TrickBot Malware Campaigns:

  • TrickBot malware operators have been observed enumerating installed services to identify potential targets for lateral movement, privilege escalation, and persistence. The malware modules specifically query installed services to detect security tools and backup processes, aiming to disable or evade them.

These examples illustrate the widespread adoption of Installed Services Discovery as a critical reconnaissance step across diverse threat actors, attack scenarios, and targeted industries.