T1007 Google Chronicle · YARA-L

Detect System Service Discovery in Google Chronicle

Adversaries may try to gather information about registered local system services to shape follow-on behaviors. Common techniques include using sc query, tasklist /svc, net start, systemctl --type=service, and WMI queries (win32_service) to enumerate running and installed services. This reconnaissance helps adversaries identify security products to disable, lateral movement opportunities via vulnerable services, and persistence mechanisms already in place. Malware families including Ursnif, Kwampirs, Comnie, Elise, and SLOTHFULMEDIA all leverage service enumeration as part of their post-compromise discovery phase.

MITRE ATT&CK

Tactic
Discovery
Technique
T1007 System Service Discovery
Canonical reference
https://attack.mitre.org/techniques/T1007/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1007_system_service_discovery {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1007 System Service Discovery via sc.exe query, tasklist /svc, net/net1 start, wmic win32_service, and PowerShell Get-Service enumeration"
    mitre_attack_technique = "T1007"
    mitre_attack_tactic = "Discovery"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1007/"
    severity = "MEDIUM"
    confidence = "HIGH"
    version = "1.0"
    created = "2025-01-01"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        re.regex($e.target.process.file.full_path, `(?i).*\\sc\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(query|\bq\b|\bqc\b)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i).*\\tasklist\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)/svc`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i).*\\net1?\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)\bstart\b`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i).*\\wmic\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(win32_service|service\s+get|service\s+list)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i).*\\(powershell|pwsh)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(get-service|win32_service)`)
      )
    )

  condition:
    $e
}
medium severity high confidence

Chronicle YARA-L 2.0 rule detecting T1007 System Service Discovery across enterprise endpoints using UDM PROCESS_LAUNCH events. Evaluates target process full path against known service enumeration binaries and command-line content using case-insensitive regex. Covers sc.exe query variants, tasklist /svc, net/net1 start, wmic win32_service class queries, and PowerShell Get-Service or WMI Win32_Service access patterns. Compatible with Windows telemetry forwarded via Chronicle agents or Microsoft Defender for Endpoint Chronicle integration.

Data Sources

Google Chronicle SIEMChronicle Forwarder (Windows endpoints)Microsoft Defender for Endpoint via Chronicle integrationCrowdStrike Falcon via Chronicle integration

Required Tables

UDM Events (metadata.event_type = PROCESS_LAUNCH)

False Positives & Tuning

  • Enterprise software packaging and deployment systems that verify service prerequisites or conflicts before installing or upgrading business applications across the fleet
  • IT support staff and system administrators using built-in Windows tools such as sc.exe or PowerShell Get-Service to remotely diagnose service-related issues on user workstations
  • Vulnerability scanners and compliance auditing tools (Tenable, Qualys, CIS-CAT Pro) that enumerate running and installed services as part of configuration baseline and patch-state assessments
Download portable Sigma rule (.yml)

Other platforms for T1007

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Service Enumeration via sc query

    Expected signal: Sysmon Event ID 1: Process Create with Image=sc.exe, CommandLine containing 'query type= all state= all'. Sysmon Event ID 11: File Create for %TEMP%\services_sc.txt. Security Event ID 4688 (if process creation auditing with command line enabled).

  2. Test 2Service Enumeration via tasklist /svc

    Expected signal: Sysmon Event ID 1: Process Create with Image=tasklist.exe, CommandLine containing '/svc'. Sysmon Event ID 11: File Create for %TEMP%\services_tasklist.txt. The output maps service names to hosting process PIDs and executable paths.

  3. Test 3Service Enumeration via net start with output redirect

    Expected signal: Sysmon Event ID 1: Process Create with Image=net.exe (or net1.exe), CommandLine containing 'start'. Sysmon Event ID 11: File Create for %TEMP%\df00tech-services.dat. Security Event ID 4688 if process auditing enabled.

  4. Test 4WMI Win32_Service Enumeration via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-WmiObject' and 'Win32_Service'. PowerShell ScriptBlock Log Event ID 4104 with full command. WMI Activity Log Event ID 5857 (WMI provider load). No separate child process is created — the WMI query runs in-process.

  5. Test 5Linux Service Enumeration via systemctl

    Expected signal: Auditd execve records for systemctl and service binaries (if auditd configured with execve rules: '-a always,exit -F arch=b64 -S execve'). Sysmon for Linux Event ID 1 (if deployed): Process Create with Image=/usr/bin/systemctl and CommandLine containing 'list-units --type=service'. File creation in /tmp for output files.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1082System Information DiscoveryT1057Process DiscoveryT1033System Owner/User DiscoveryT1016System Network Configuration DiscoveryT1518Software DiscoveryT1518.001Security Software DiscoveryT1489Service StopT1543.003Windows ServiceT1053.005Scheduled TaskT1047Windows Management Instrumentation

Same Tactic: Discovery

Popular Detections