T1007 Elastic Security · Elastic

Detect System Service Discovery in Elastic Security

Adversaries may try to gather information about registered local system services to shape follow-on behaviors. Common techniques include using sc query, tasklist /svc, net start, systemctl --type=service, and WMI queries (win32_service) to enumerate running and installed services. This reconnaissance helps adversaries identify security products to disable, lateral movement opportunities via vulnerable services, and persistence mechanisms already in place. Malware families including Ursnif, Kwampirs, Comnie, Elise, and SLOTHFULMEDIA all leverage service enumeration as part of their post-compromise discovery phase.

MITRE ATT&CK

Tactic
Discovery
Technique
T1007 System Service Discovery
Canonical reference
https://attack.mitre.org/techniques/T1007/

Elastic Detection Query

Elastic Security (Elastic)
eql 
process where event.type == "start" and (
  (process.name : "sc.exe" and process.command_line : ("*query*", "* q *", "* qc *")) or
  (process.name : "tasklist.exe" and process.command_line : "*/svc*") or
  (process.name : ("net.exe", "net1.exe") and process.command_line : ("* start*", "*start *")) or
  (process.name : "wmic.exe" and process.command_line : ("*win32_service*", "*service get*", "*service list*")) or
  (process.name : ("powershell.exe", "pwsh.exe") and process.command_line : ("*Get-Service*", "*get-service*", "*Win32_Service*"))
)
medium severity high confidence

Detects T1007 System Service Discovery using Elastic EQL against process creation events sourced from Elastic Endpoint or Winlogbeat with Sysmon. Identifies service enumeration via sc.exe query, tasklist /svc, net start, wmic win32_service, and PowerShell Get-Service. Uses ECS process.name and process.command_line wildcard matching for broad coverage across Windows endpoints.

Data Sources

Elastic Endpoint SecurityWinlogbeat with Sysmon ModuleElastic Agent (Windows)

Required Tables

logs-endpoint.events.process-*winlogbeat-*.ds-logs-endpoint.events.process-*

False Positives & Tuning

  • IT administrators using sc.exe or net start interactively during routine service troubleshooting or change management windows
  • Software deployment and patch management platforms (SCCM, Ansible, Chef, Puppet) that verify service states as part of pre- or post-deployment health checks
  • Security and monitoring agents (antivirus, EDR, SIEM forwarders) that enumerate competing software or validate required services during installation or scheduled inventory collection
Download portable Sigma rule (.yml)

Other platforms for T1007

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Service Enumeration via sc query

    Expected signal: Sysmon Event ID 1: Process Create with Image=sc.exe, CommandLine containing 'query type= all state= all'. Sysmon Event ID 11: File Create for %TEMP%\services_sc.txt. Security Event ID 4688 (if process creation auditing with command line enabled).

  2. Test 2Service Enumeration via tasklist /svc

    Expected signal: Sysmon Event ID 1: Process Create with Image=tasklist.exe, CommandLine containing '/svc'. Sysmon Event ID 11: File Create for %TEMP%\services_tasklist.txt. The output maps service names to hosting process PIDs and executable paths.

  3. Test 3Service Enumeration via net start with output redirect

    Expected signal: Sysmon Event ID 1: Process Create with Image=net.exe (or net1.exe), CommandLine containing 'start'. Sysmon Event ID 11: File Create for %TEMP%\df00tech-services.dat. Security Event ID 4688 if process auditing enabled.

  4. Test 4WMI Win32_Service Enumeration via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-WmiObject' and 'Win32_Service'. PowerShell ScriptBlock Log Event ID 4104 with full command. WMI Activity Log Event ID 5857 (WMI provider load). No separate child process is created — the WMI query runs in-process.

  5. Test 5Linux Service Enumeration via systemctl

    Expected signal: Auditd execve records for systemctl and service binaries (if auditd configured with execve rules: '-a always,exit -F arch=b64 -S execve'). Sysmon for Linux Event ID 1 (if deployed): Process Create with Image=/usr/bin/systemctl and CommandLine containing 'list-units --type=service'. File creation in /tmp for output files.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1082System Information DiscoveryT1057Process DiscoveryT1033System Owner/User DiscoveryT1016System Network Configuration DiscoveryT1518Software DiscoveryT1518.001Security Software DiscoveryT1489Service StopT1543.003Windows ServiceT1053.005Scheduled TaskT1047Windows Management Instrumentation

Same Tactic: Discovery

Popular Detections