T1007

System Service Discovery

Adversaries may try to gather information about registered local system services to shape follow-on behaviors. Common techniques include using sc query, tasklist /svc, net start, systemctl --type=service, and WMI queries (win32_service) to enumerate running and installed services. This reconnaissance helps adversaries identify security products to disable, lateral movement opportunities via vulnerable services, and persistence mechanisms already in place. Malware families including Ursnif, Kwampirs, Comnie, Elise, and SLOTHFULMEDIA all leverage service enumeration as part of their post-compromise discovery phase.

Microsoft Sentinel / Defender

kusto

let ServiceDiscoveryCommands = dynamic([
  "sc query", "sc.exe query",
  "tasklist /svc", "tasklist.exe /svc",
  "net start", "net1 start",
  "win32_service", "Win32_Service",
  "Get-Service", "get-service",
  "systemctl --type=service", "systemctl list-units",
  "service --status-all", "chkconfig --list"
]);
let ServiceDiscoveryBinaries = dynamic([
  "sc.exe", "tasklist.exe", "net.exe", "net1.exe", "wmic.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName in~ (ServiceDiscoveryBinaries) and ProcessCommandLine has_any ("query", "/svc", "start", "win32_service"))
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-Service", "Win32_Service", "win32_service"))
    or (FileName in~ ("wmic.exe") and ProcessCommandLine has_any ("service", "win32_service"))
)
| extend IsScQuery = FileName =~ "sc.exe" and ProcessCommandLine has "query"
| extend IsTasklistSvc = FileName =~ "tasklist.exe" and ProcessCommandLine has "/svc"
| extend IsNetStart = FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine has "start"
| extend IsWmicService = FileName =~ "wmic.exe" and ProcessCommandLine has_any ("service", "win32_service")
| extend IsPSGetService = FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-Service", "Win32_Service")
| extend SuspiciousParent = InitiatingProcessFileName has_any ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "svchost.exe") 
    and not (InitiatingProcessFileName =~ "svchost.exe" and AccountName =~ "SYSTEM")
| where IsScQuery or IsTasklistSvc or IsNetStart or IsWmicService or IsPSGetService
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsScQuery, IsTasklistSvc, IsNetStart, IsWmicService, IsPSGetService, SuspiciousParent
| sort by Timestamp desc

low severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

System administrators and IT staff routinely run sc query, net start, and tasklist /svc for legitimate troubleshooting and monitoring
Remote management and monitoring (RMM) tools such as ConnectWise, Datto, N-able, and Kaseya execute service enumeration as part of inventory collection
Software installation and configuration management tools (SCCM, Ansible, Puppet, Chef) query services to verify installation state
Vulnerability scanners and compliance tools (Qualys, Tenable, CrowdStrike Spotlight) enumerate services as part of scheduled scans
Endpoint detection and response (EDR) agents may themselves call WMI win32_service queries during telemetry collection
Developer tooling and CI/CD pipeline agents querying service states during automated testing

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (
    (Image="*\\sc.exe" AND (CommandLine="*query*" OR CommandLine="* q *" OR CommandLine="* qc *"))
    OR (Image="*\\tasklist.exe" AND CommandLine="*/svc*")
    OR ((Image="*\\net.exe" OR Image="*\\net1.exe") AND (CommandLine="* start*" OR CommandLine="*start *"))
    OR (Image="*\\wmic.exe" AND (CommandLine="*win32_service*" OR CommandLine="*service get*" OR CommandLine="*service list*"))
    OR ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe") AND (CommandLine="*Get-Service*" OR CommandLine="*get-service*" OR CommandLine="*Win32_Service*"))
  )
| eval IsScQuery=if(match(Image, "sc\.exe$") AND match(lower(CommandLine), "query|\s+q\s|\ qc "), 1, 0)
| eval IsTasklistSvc=if(match(Image, "tasklist\.exe$") AND match(lower(CommandLine), "/svc"), 1, 0)
| eval IsNetStart=if(match(Image, "net1?\.exe$") AND match(lower(CommandLine), "start"), 1, 0)
| eval IsWmicService=if(match(Image, "wmic\.exe$") AND match(lower(CommandLine), "win32_service|service get|service list"), 1, 0)
| eval IsPSGetService=if(match(Image, "powershell\.exe$|pwsh\.exe$") AND match(lower(CommandLine), "get-service|win32_service"), 1, 0)
| eval SuspiciousParent=if(match(lower(ParentImage), "wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|bitsadmin\.exe"), 1, 0)
| eval DiscoveryScore=IsScQuery + IsTasklistSvc + IsNetStart + IsWmicService + IsPSGetService
| where DiscoveryScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsScQuery, IsTasklistSvc, IsNetStart, IsWmicService, IsPSGetService, SuspiciousParent, DiscoveryScore
| sort - _time

low severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

System administrators and IT staff routinely run sc query, net start, and tasklist /svc for legitimate troubleshooting and monitoring
Remote management and monitoring (RMM) tools such as ConnectWise, Datto, N-able, and Kaseya execute service enumeration as part of inventory collection
Software installation and configuration management tools (SCCM, Ansible, Puppet, Chef) query services to verify installation state
Vulnerability scanners and compliance tools (Qualys, Tenable, CrowdStrike Spotlight) enumerate services as part of scheduled scans
Endpoint detection and response (EDR) agents may themselves call WMI win32_service queries during telemetry collection
Developer tooling and CI/CD pipeline agents querying service states during automated testing

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceHost,
  username AS Username,
  "Process Name" AS ProcessImage,
  "Command" AS CommandLine,
  "Parent Process Name" AS ParentProcess,
  QIDNAME(qid) AS EventName,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
  AND QIDNAME(qid) ILIKE '%process%create%'
  AND (
    (
      LOWER("Process Name") LIKE '%\\sc.exe'
      AND (
        LOWER("Command") LIKE '%query%'
        OR LOWER("Command") LIKE '% q %'
        OR LOWER("Command") LIKE '% qc %'
      )
    )
    OR (
      LOWER("Process Name") LIKE '%\\tasklist.exe'
      AND LOWER("Command") LIKE '%/svc%'
    )
    OR (
      (LOWER("Process Name") LIKE '%\\net.exe' OR LOWER("Process Name") LIKE '%\\net1.exe')
      AND LOWER("Command") LIKE '%start%'
    )
    OR (
      LOWER("Process Name") LIKE '%\\wmic.exe'
      AND (
        LOWER("Command") LIKE '%win32_service%'
        OR LOWER("Command") LIKE '%service get%'
        OR LOWER("Command") LIKE '%service list%'
      )
    )
    OR (
      (LOWER("Process Name") LIKE '%\\powershell.exe' OR LOWER("Process Name") LIKE '%\\pwsh.exe')
      AND (
        LOWER("Command") LIKE '%get-service%'
        OR LOWER("Command") LIKE '%win32_service%'
      )
    )
  )
LAST 24 HOURS

medium severity high confidence

Data Sources

IBM QRadar SIEM Microsoft Sysmon DSM for QRadar Windows Security Event Log DSM

Required Tables

events

False Positives

Helpdesk and IT support staff running sc.exe or net start from interactive sessions to diagnose service failures on user workstations
Automated IT operations platforms (ServiceNow Discovery, Tanium, BigFix) that regularly poll service inventory across the fleet as part of asset management
Vulnerability management and compliance scanners (Tenable Nessus, Qualys, CIS-CAT) that enumerate installed services as part of configuration baseline audits

Sumo Logic CSE

sql

(_sourceCategory=*windows*sysmon* OR _sourceCategory=*sysmon*)
| where EventCode = "1"
| where (
    (Image matches "*\\sc.exe" AND (CommandLine contains "query" OR CommandLine contains " q " OR CommandLine contains " qc "))
    OR (Image matches "*\\tasklist.exe" AND toLowerCase(CommandLine) contains "/svc")
    OR ((Image matches "*\\net.exe" OR Image matches "*\\net1.exe") AND toLowerCase(CommandLine) contains "start")
    OR (Image matches "*\\wmic.exe" AND (toLowerCase(CommandLine) contains "win32_service" OR toLowerCase(CommandLine) contains "service get" OR toLowerCase(CommandLine) contains "service list"))
    OR ((Image matches "*\\powershell.exe" OR Image matches "*\\pwsh.exe") AND (toLowerCase(CommandLine) contains "get-service" OR toLowerCase(CommandLine) contains "win32_service"))
  )
| eval IsScQuery = if(Image matches "*\\sc.exe" AND (CommandLine contains "query" OR CommandLine contains " q " OR CommandLine contains " qc "), 1, 0)
| eval IsTasklistSvc = if(Image matches "*\\tasklist.exe" AND toLowerCase(CommandLine) contains "/svc", 1, 0)
| eval IsNetStart = if((Image matches "*\\net.exe" OR Image matches "*\\net1.exe") AND toLowerCase(CommandLine) contains "start", 1, 0)
| eval IsWmicService = if(Image matches "*\\wmic.exe" AND (toLowerCase(CommandLine) contains "win32_service" OR toLowerCase(CommandLine) contains "service get" OR toLowerCase(CommandLine) contains "service list"), 1, 0)
| eval IsPSGetService = if((Image matches "*\\powershell.exe" OR Image matches "*\\pwsh.exe") AND (toLowerCase(CommandLine) contains "get-service" OR toLowerCase(CommandLine) contains "win32_service"), 1, 0)
| eval DiscoveryScore = IsScQuery + IsTasklistSvc + IsNetStart + IsWmicService + IsPSGetService
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, IsScQuery, IsTasklistSvc, IsNetStart, IsWmicService, IsPSGetService, DiscoveryScore
| sort by _messageTime desc

medium severity high confidence

Data Sources

Sumo Logic Cloud SIEM Sysmon for Windows via Sumo Logic Installed Collector Windows Event Log Collector

Required Tables

_sourceCategory=*windows*sysmon*

False Positives

DevOps and infrastructure-as-code pipelines (GitHub Actions, GitLab CI, Jenkins) that call net start or sc query to verify service prerequisites before application deployment steps
Remote monitoring and management agents (ConnectWise Automate, Kaseya VSA, NinjaRMM) that collect Windows service inventory from managed endpoints on a scheduled basis
Antivirus and endpoint protection products that invoke WMI or PowerShell Get-Service during installation to detect conflicting security software or validate required services

Google Chronicle / SecOps

yaral

rule t1007_system_service_discovery {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1007 System Service Discovery via sc.exe query, tasklist /svc, net/net1 start, wmic win32_service, and PowerShell Get-Service enumeration"
    mitre_attack_technique = "T1007"
    mitre_attack_tactic = "Discovery"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1007/"
    severity = "MEDIUM"
    confidence = "HIGH"
    version = "1.0"
    created = "2025-01-01"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        re.regex($e.target.process.file.full_path, `(?i).*\\sc\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(query|\bq\b|\bqc\b)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i).*\\tasklist\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)/svc`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i).*\\net1?\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)\bstart\b`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i).*\\wmic\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(win32_service|service\s+get|service\s+list)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i).*\\(powershell|pwsh)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(get-service|win32_service)`)
      )
    )

  condition:
    $e
}

medium severity high confidence

Data Sources

Google Chronicle SIEM Chronicle Forwarder (Windows endpoints) Microsoft Defender for Endpoint via Chronicle integration CrowdStrike Falcon via Chronicle integration

Required Tables

UDM Events (metadata.event_type = PROCESS_LAUNCH)

False Positives

Enterprise software packaging and deployment systems that verify service prerequisites or conflicts before installing or upgrading business applications across the fleet
IT support staff and system administrators using built-in Windows tools such as sc.exe or PowerShell Get-Service to remotely diagnose service-related issues on user workstations
Vulnerability scanners and compliance auditing tools (Tenable, Qualys, CIS-CAT Pro) that enumerate running and installed services as part of configuration baseline and patch-state assessments

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| regex(field=ImageFileName, regex="(?i)(sc\\.exe|tasklist\\.exe|net1?\\.exe|wmic\\.exe|powershell\\.exe|pwsh\\.exe)$")
| IsScQuery := if(
    regex(ImageFileName, "(?i)sc\\.exe$") and regex(CommandLine, "(?i)(query|\\bq\\b|\\bqc\\b)"),
    true, false
  )
| IsTasklistSvc := if(
    regex(ImageFileName, "(?i)tasklist\\.exe$") and regex(CommandLine, "(?i)/svc"),
    true, false
  )
| IsNetStart := if(
    regex(ImageFileName, "(?i)net1?\\.exe$") and regex(CommandLine, "(?i)\\bstart\\b"),
    true, false
  )
| IsWmicService := if(
    regex(ImageFileName, "(?i)wmic\\.exe$") and regex(CommandLine, "(?i)(win32_service|service\\s+get|service\\s+list)"),
    true, false
  )
| IsPSGetService := if(
    regex(ImageFileName, "(?i)(powershell|pwsh)\\.exe$") and regex(CommandLine, "(?i)(get-service|win32_service)"),
    true, false
  )
| DiscoveryMatch := IsScQuery or IsTasklistSvc or IsNetStart or IsWmicService or IsPSGetService
| DiscoveryMatch = true
| select([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, IsScQuery, IsTasklistSvc, IsNetStart, IsWmicService, IsPSGetService])
| sort(field=@timestamp, order=desc)

medium severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike LogScale (Humio) Falcon Data Replicator (FDR)

Required Tables

#event_simpleName=ProcessRollup2

False Positives

CrowdStrike Falcon sensor itself and third-party EDR or AV products that perform service enumeration as part of their own protection telemetry collection or competing-software detection routines
Scripted endpoint onboarding and imaging workflows run by IT operations teams that verify required services are present, enabled, and running on newly provisioned devices
Automated disaster recovery and business continuity testing scripts that enumerate and validate critical service states across the endpoint fleet on a scheduled or ad-hoc basis

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

System Service Discovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Discovery

Popular Detections