Which SIEM platforms have a T1007 detection rule?

df00tech provides T1007 (System Service Discovery) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect System Service Discovery (T1007)?

Detecting System Service Discovery requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1007 detection?

The T1007 detection is rated low severity with medium confidence.

What are common false positives for T1007?

Common false positives for T1007 include: System administrators and IT staff routinely run sc query, net start, and tasklist /svc for legitimate troubleshooting and monitoring; Remote management and monitoring (RMM) tools such as ConnectWise, Datto, N-able, and Kaseya execute service enumeration as part of inventory collection; Software installation and configuration management tools (SCCM, Ansible, Puppet, Chef) query services to verify installation state.

T1007

System Service Discovery

Discovery Last updated: April 13, 2026

Adversaries may try to gather information about registered local system services to shape follow-on behaviors. Common techniques include using sc query, tasklist /svc, net start, systemctl --type=service, and WMI queries (win32_service) to enumerate running and installed services. This reconnaissance helps adversaries identify security products to disable, lateral movement opportunities via vulnerable services, and persistence mechanisms already in place. Malware families including Ursnif, Kwampirs, Comnie, Elise, and SLOTHFULMEDIA all leverage service enumeration as part of their post-compromise discovery phase.

What is T1007 System Service Discovery?

System Service Discovery (T1007) maps to the Discovery tactic — the adversary is trying to figure out your environment in MITRE ATT&CK.

This page provides production-ready detection logic for System Service Discovery, covering the data sources and telemetry it touches: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated low severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Discovery
Technique: T1007 System Service Discovery
Canonical reference: https://attack.mitre.org/techniques/T1007/

Microsoft Sentinel / Defender

kusto

let ServiceDiscoveryCommands = dynamic([
  "sc query", "sc.exe query",
  "tasklist /svc", "tasklist.exe /svc",
  "net start", "net1 start",
  "win32_service", "Win32_Service",
  "Get-Service", "get-service",
  "systemctl --type=service", "systemctl list-units",
  "service --status-all", "chkconfig --list"
]);
let ServiceDiscoveryBinaries = dynamic([
  "sc.exe", "tasklist.exe", "net.exe", "net1.exe", "wmic.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName in~ (ServiceDiscoveryBinaries) and ProcessCommandLine has_any ("query", "/svc", "start", "win32_service"))
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-Service", "Win32_Service", "win32_service"))
    or (FileName in~ ("wmic.exe") and ProcessCommandLine has_any ("service", "win32_service"))
)
| extend IsScQuery = FileName =~ "sc.exe" and ProcessCommandLine has "query"
| extend IsTasklistSvc = FileName =~ "tasklist.exe" and ProcessCommandLine has "/svc"
| extend IsNetStart = FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine has "start"
| extend IsWmicService = FileName =~ "wmic.exe" and ProcessCommandLine has_any ("service", "win32_service")
| extend IsPSGetService = FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-Service", "Win32_Service")
| extend SuspiciousParent = InitiatingProcessFileName has_any ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "svchost.exe") 
    and not (InitiatingProcessFileName =~ "svchost.exe" and AccountName =~ "SYSTEM")
| where IsScQuery or IsTasklistSvc or IsNetStart or IsWmicService or IsPSGetService
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsScQuery, IsTasklistSvc, IsNetStart, IsWmicService, IsPSGetService, SuspiciousParent
| sort by Timestamp desc

Detects system service discovery activity using Microsoft Defender for Endpoint DeviceProcessEvents. Monitors sc.exe query, tasklist /svc, net start, wmic win32_service queries, and PowerShell Get-Service calls. Flags processes launched from suspicious parent processes (script interpreters, LOLBins) that would indicate post-compromise reconnaissance rather than routine admin activity. Covers the most common service enumeration techniques observed in Ursnif, Kwampirs, Comnie, Elise, and SLOTHFULMEDIA malware families.

low severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

System administrators and IT staff routinely run sc query, net start, and tasklist /svc for legitimate troubleshooting and monitoring
Remote management and monitoring (RMM) tools such as ConnectWise, Datto, N-able, and Kaseya execute service enumeration as part of inventory collection
Software installation and configuration management tools (SCCM, Ansible, Puppet, Chef) query services to verify installation state
Vulnerability scanners and compliance tools (Qualys, Tenable, CrowdStrike Spotlight) enumerate services as part of scheduled scans
Endpoint detection and response (EDR) agents may themselves call WMI win32_service queries during telemetry collection
Developer tooling and CI/CD pipeline agents querying service states during automated testing

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (
    (Image="*\\sc.exe" AND (CommandLine="*query*" OR CommandLine="* q *" OR CommandLine="* qc *"))
    OR (Image="*\\tasklist.exe" AND CommandLine="*/svc*")
    OR ((Image="*\\net.exe" OR Image="*\\net1.exe") AND (CommandLine="* start*" OR CommandLine="*start *"))
    OR (Image="*\\wmic.exe" AND (CommandLine="*win32_service*" OR CommandLine="*service get*" OR CommandLine="*service list*"))
    OR ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe") AND (CommandLine="*Get-Service*" OR CommandLine="*get-service*" OR CommandLine="*Win32_Service*"))
  )
| eval IsScQuery=if(match(Image, "sc\.exe$") AND match(lower(CommandLine), "query|\s+q\s|\ qc "), 1, 0)
| eval IsTasklistSvc=if(match(Image, "tasklist\.exe$") AND match(lower(CommandLine), "/svc"), 1, 0)
| eval IsNetStart=if(match(Image, "net1?\.exe$") AND match(lower(CommandLine), "start"), 1, 0)
| eval IsWmicService=if(match(Image, "wmic\.exe$") AND match(lower(CommandLine), "win32_service|service get|service list"), 1, 0)
| eval IsPSGetService=if(match(Image, "powershell\.exe$|pwsh\.exe$") AND match(lower(CommandLine), "get-service|win32_service"), 1, 0)
| eval SuspiciousParent=if(match(lower(ParentImage), "wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|bitsadmin\.exe"), 1, 0)
| eval DiscoveryScore=IsScQuery + IsTasklistSvc + IsNetStart + IsWmicService + IsPSGetService
| where DiscoveryScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsScQuery, IsTasklistSvc, IsNetStart, IsWmicService, IsPSGetService, SuspiciousParent, DiscoveryScore
| sort - _time

Detects system service discovery using Sysmon Event ID 1 (Process Creation) logs. Identifies sc.exe query commands, tasklist /svc, net start, wmic win32_service, and PowerShell Get-Service calls. Assigns a discovery score based on matched patterns and flags events spawned from suspicious parent processes (script interpreters, LOLBins). High discovery scores or suspicious parent processes warrant elevated investigation priority.

low severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

System administrators and IT staff routinely run sc query, net start, and tasklist /svc for legitimate troubleshooting and monitoring
Remote management and monitoring (RMM) tools such as ConnectWise, Datto, N-able, and Kaseya execute service enumeration as part of inventory collection
Software installation and configuration management tools (SCCM, Ansible, Puppet, Chef) query services to verify installation state
Vulnerability scanners and compliance tools (Qualys, Tenable, CrowdStrike Spotlight) enumerate services as part of scheduled scans
Endpoint detection and response (EDR) agents may themselves call WMI win32_service queries during telemetry collection
Developer tooling and CI/CD pipeline agents querying service states during automated testing

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceHost,
  username AS Username,
  "Process Name" AS ProcessImage,
  "Command" AS CommandLine,
  "Parent Process Name" AS ParentProcess,
  QIDNAME(qid) AS EventName,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
  AND QIDNAME(qid) ILIKE '%process%create%'
  AND (
    (
      LOWER("Process Name") LIKE '%\\sc.exe'
      AND (
        LOWER("Command") LIKE '%query%'
        OR LOWER("Command") LIKE '% q %'
        OR LOWER("Command") LIKE '% qc %'
      )
    )
    OR (
      LOWER("Process Name") LIKE '%\\tasklist.exe'
      AND LOWER("Command") LIKE '%/svc%'
    )
    OR (
      (LOWER("Process Name") LIKE '%\\net.exe' OR LOWER("Process Name") LIKE '%\\net1.exe')
      AND LOWER("Command") LIKE '%start%'
    )
    OR (
      LOWER("Process Name") LIKE '%\\wmic.exe'
      AND (
        LOWER("Command") LIKE '%win32_service%'
        OR LOWER("Command") LIKE '%service get%'
        OR LOWER("Command") LIKE '%service list%'
      )
    )
    OR (
      (LOWER("Process Name") LIKE '%\\powershell.exe' OR LOWER("Process Name") LIKE '%\\pwsh.exe')
      AND (
        LOWER("Command") LIKE '%get-service%'
        OR LOWER("Command") LIKE '%win32_service%'
      )
    )
  )
LAST 24 HOURS

QRadar AQL detection for T1007 System Service Discovery querying the events store for Sysmon Process Create records. Matches process image paths against known service enumeration binaries and filters on command-line arguments associated with sc.exe query, tasklist /svc, net start, wmic win32_service, and PowerShell Get-Service. Requires Sysmon DSM deployed and parsing Process Name and Command fields.

medium severity high confidence

Data Sources

IBM QRadar SIEM Microsoft Sysmon DSM for QRadar Windows Security Event Log DSM

Required Tables

events

False Positives

Helpdesk and IT support staff running sc.exe or net start from interactive sessions to diagnose service failures on user workstations
Automated IT operations platforms (ServiceNow Discovery, Tanium, BigFix) that regularly poll service inventory across the fleet as part of asset management
Vulnerability management and compliance scanners (Tenable Nessus, Qualys, CIS-CAT) that enumerate installed services as part of configuration baseline audits

Sumo Logic CSE

sql

(_sourceCategory=*windows*sysmon* OR _sourceCategory=*sysmon*)
| where EventCode = "1"
| where (
    (Image matches "*\\sc.exe" AND (CommandLine contains "query" OR CommandLine contains " q " OR CommandLine contains " qc "))
    OR (Image matches "*\\tasklist.exe" AND toLowerCase(CommandLine) contains "/svc")
    OR ((Image matches "*\\net.exe" OR Image matches "*\\net1.exe") AND toLowerCase(CommandLine) contains "start")
    OR (Image matches "*\\wmic.exe" AND (toLowerCase(CommandLine) contains "win32_service" OR toLowerCase(CommandLine) contains "service get" OR toLowerCase(CommandLine) contains "service list"))
    OR ((Image matches "*\\powershell.exe" OR Image matches "*\\pwsh.exe") AND (toLowerCase(CommandLine) contains "get-service" OR toLowerCase(CommandLine) contains "win32_service"))
  )
| eval IsScQuery = if(Image matches "*\\sc.exe" AND (CommandLine contains "query" OR CommandLine contains " q " OR CommandLine contains " qc "), 1, 0)
| eval IsTasklistSvc = if(Image matches "*\\tasklist.exe" AND toLowerCase(CommandLine) contains "/svc", 1, 0)
| eval IsNetStart = if((Image matches "*\\net.exe" OR Image matches "*\\net1.exe") AND toLowerCase(CommandLine) contains "start", 1, 0)
| eval IsWmicService = if(Image matches "*\\wmic.exe" AND (toLowerCase(CommandLine) contains "win32_service" OR toLowerCase(CommandLine) contains "service get" OR toLowerCase(CommandLine) contains "service list"), 1, 0)
| eval IsPSGetService = if((Image matches "*\\powershell.exe" OR Image matches "*\\pwsh.exe") AND (toLowerCase(CommandLine) contains "get-service" OR toLowerCase(CommandLine) contains "win32_service"), 1, 0)
| eval DiscoveryScore = IsScQuery + IsTasklistSvc + IsNetStart + IsWmicService + IsPSGetService
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, IsScQuery, IsTasklistSvc, IsNetStart, IsWmicService, IsPSGetService, DiscoveryScore
| sort by _messageTime desc

Sumo Logic detection for T1007 System Service Discovery using Sysmon EventCode 1 (Process Create) ingested via the Sysmon source category. Matches service enumeration binaries and command-line patterns, then classifies each match with individual Boolean flags and a cumulative DiscoveryScore. Higher scores indicate broader enumeration activity characteristic of automated post-compromise discovery.

medium severity high confidence

Data Sources

Sumo Logic Cloud SIEM Sysmon for Windows via Sumo Logic Installed Collector Windows Event Log Collector

Required Tables

_sourceCategory=*windows*sysmon*

False Positives

DevOps and infrastructure-as-code pipelines (GitHub Actions, GitLab CI, Jenkins) that call net start or sc query to verify service prerequisites before application deployment steps
Remote monitoring and management agents (ConnectWise Automate, Kaseya VSA, NinjaRMM) that collect Windows service inventory from managed endpoints on a scheduled basis
Antivirus and endpoint protection products that invoke WMI or PowerShell Get-Service during installation to detect conflicting security software or validate required services

Google Chronicle / SecOps

yaral

rule t1007_system_service_discovery {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1007 System Service Discovery via sc.exe query, tasklist /svc, net/net1 start, wmic win32_service, and PowerShell Get-Service enumeration"
    mitre_attack_technique = "T1007"
    mitre_attack_tactic = "Discovery"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1007/"
    severity = "MEDIUM"
    confidence = "HIGH"
    version = "1.0"
    created = "2025-01-01"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        re.regex($e.target.process.file.full_path, `(?i).*\\sc\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(query|\bq\b|\bqc\b)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i).*\\tasklist\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)/svc`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i).*\\net1?\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)\bstart\b`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i).*\\wmic\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(win32_service|service\s+get|service\s+list)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i).*\\(powershell|pwsh)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(get-service|win32_service)`)
      )
    )

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting T1007 System Service Discovery across enterprise endpoints using UDM PROCESS_LAUNCH events. Evaluates target process full path against known service enumeration binaries and command-line content using case-insensitive regex. Covers sc.exe query variants, tasklist /svc, net/net1 start, wmic win32_service class queries, and PowerShell Get-Service or WMI Win32_Service access patterns. Compatible with Windows telemetry forwarded via Chronicle agents or Microsoft Defender for Endpoint Chronicle integration.

medium severity high confidence

Data Sources

Google Chronicle SIEM Chronicle Forwarder (Windows endpoints) Microsoft Defender for Endpoint via Chronicle integration CrowdStrike Falcon via Chronicle integration

Required Tables

UDM Events (metadata.event_type = PROCESS_LAUNCH)

False Positives

Enterprise software packaging and deployment systems that verify service prerequisites or conflicts before installing or upgrading business applications across the fleet
IT support staff and system administrators using built-in Windows tools such as sc.exe or PowerShell Get-Service to remotely diagnose service-related issues on user workstations
Vulnerability scanners and compliance auditing tools (Tenable, Qualys, CIS-CAT Pro) that enumerate running and installed services as part of configuration baseline and patch-state assessments

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| regex(field=ImageFileName, regex="(?i)(sc\\.exe|tasklist\\.exe|net1?\\.exe|wmic\\.exe|powershell\\.exe|pwsh\\.exe)$")
| IsScQuery := if(
    regex(ImageFileName, "(?i)sc\\.exe$") and regex(CommandLine, "(?i)(query|\\bq\\b|\\bqc\\b)"),
    true, false
  )
| IsTasklistSvc := if(
    regex(ImageFileName, "(?i)tasklist\\.exe$") and regex(CommandLine, "(?i)/svc"),
    true, false
  )
| IsNetStart := if(
    regex(ImageFileName, "(?i)net1?\\.exe$") and regex(CommandLine, "(?i)\\bstart\\b"),
    true, false
  )
| IsWmicService := if(
    regex(ImageFileName, "(?i)wmic\\.exe$") and regex(CommandLine, "(?i)(win32_service|service\\s+get|service\\s+list)"),
    true, false
  )
| IsPSGetService := if(
    regex(ImageFileName, "(?i)(powershell|pwsh)\\.exe$") and regex(CommandLine, "(?i)(get-service|win32_service)"),
    true, false
  )
| DiscoveryMatch := IsScQuery or IsTasklistSvc or IsNetStart or IsWmicService or IsPSGetService
| DiscoveryMatch = true
| select([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, IsScQuery, IsTasklistSvc, IsNetStart, IsWmicService, IsPSGetService])
| sort(field=@timestamp, order=desc)

CrowdStrike LogScale (Humio) CQL detection for T1007 System Service Discovery using ProcessRollup2 events from the Falcon sensor. Filters on process image filenames associated with service enumeration, then applies individual Boolean classification fields (IsScQuery, IsTasklistSvc, IsNetStart, IsWmicService, IsPSGetService) using regex matching against CommandLine. Only events matching at least one technique indicator are surfaced. ParentBaseFileName is included to support suspicious parent process triage.

medium severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike LogScale (Humio) Falcon Data Replicator (FDR)

Required Tables

#event_simpleName=ProcessRollup2

False Positives

CrowdStrike Falcon sensor itself and third-party EDR or AV products that perform service enumeration as part of their own protection telemetry collection or competing-software detection routines
Scripted endpoint onboarding and imaging workflows run by IT operations teams that verify required services are present, enabled, and running on newly provisioned devices
Automated disaster recovery and business continuity testing scripts that enumerate and validate critical service states across the endpoint fleet on a scheduled or ad-hoc basis

Sigma rule & cross-platform mapping

The detection logic for System Service Discovery (T1007) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1007 Sigma rules on detection.fyi

Platform-specific guides for T1007

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-13 Research depth: deep

References (10)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Service Enumeration via sc query
Expected signal: Sysmon Event ID 1: Process Create with Image=sc.exe, CommandLine containing 'query type= all state= all'. Sysmon Event ID 11: File Create for %TEMP%\services_sc.txt. Security Event ID 4688 (if process creation auditing with command line enabled).
Test 2Service Enumeration via tasklist /svc
Expected signal: Sysmon Event ID 1: Process Create with Image=tasklist.exe, CommandLine containing '/svc'. Sysmon Event ID 11: File Create for %TEMP%\services_tasklist.txt. The output maps service names to hosting process PIDs and executable paths.
Test 3Service Enumeration via net start with output redirect
Expected signal: Sysmon Event ID 1: Process Create with Image=net.exe (or net1.exe), CommandLine containing 'start'. Sysmon Event ID 11: File Create for %TEMP%\df00tech-services.dat. Security Event ID 4688 if process auditing enabled.
Test 4WMI Win32_Service Enumeration via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-WmiObject' and 'Win32_Service'. PowerShell ScriptBlock Log Event ID 4104 with full command. WMI Activity Log Event ID 5857 (WMI provider load). No separate child process is created — the WMI query runs in-process.
Test 5Linux Service Enumeration via systemctl
Expected signal: Auditd execve records for systemctl and service binaries (if auditd configured with execve rules: '-a always,exit -F arch=b64 -S execve'). Sysmon for Linux Event ID 1 (if deployed): Process Create with Image=/usr/bin/systemctl and CommandLine containing 'list-units --type=service'. File creation in /tmp for output files.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

System Service Discovery

What is T1007 System Service Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1007

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Discovery

Popular Detections

What is T1007 System Service Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1007

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox