Detect System Service Discovery in CrowdStrike LogScale
Adversaries may try to gather information about registered local system services to shape follow-on behaviors. Common techniques include using sc query, tasklist /svc, net start, systemctl --type=service, and WMI queries (win32_service) to enumerate running and installed services. This reconnaissance helps adversaries identify security products to disable, lateral movement opportunities via vulnerable services, and persistence mechanisms already in place. Malware families including Ursnif, Kwampirs, Comnie, Elise, and SLOTHFULMEDIA all leverage service enumeration as part of their post-compromise discovery phase.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1007 System Service Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1007/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| regex(field=ImageFileName, regex="(?i)(sc\\.exe|tasklist\\.exe|net1?\\.exe|wmic\\.exe|powershell\\.exe|pwsh\\.exe)$")
| IsScQuery := if(
regex(ImageFileName, "(?i)sc\\.exe$") and regex(CommandLine, "(?i)(query|\\bq\\b|\\bqc\\b)"),
true, false
)
| IsTasklistSvc := if(
regex(ImageFileName, "(?i)tasklist\\.exe$") and regex(CommandLine, "(?i)/svc"),
true, false
)
| IsNetStart := if(
regex(ImageFileName, "(?i)net1?\\.exe$") and regex(CommandLine, "(?i)\\bstart\\b"),
true, false
)
| IsWmicService := if(
regex(ImageFileName, "(?i)wmic\\.exe$") and regex(CommandLine, "(?i)(win32_service|service\\s+get|service\\s+list)"),
true, false
)
| IsPSGetService := if(
regex(ImageFileName, "(?i)(powershell|pwsh)\\.exe$") and regex(CommandLine, "(?i)(get-service|win32_service)"),
true, false
)
| DiscoveryMatch := IsScQuery or IsTasklistSvc or IsNetStart or IsWmicService or IsPSGetService
| DiscoveryMatch = true
| select([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, IsScQuery, IsTasklistSvc, IsNetStart, IsWmicService, IsPSGetService])
| sort(field=@timestamp, order=desc)CrowdStrike LogScale (Humio) CQL detection for T1007 System Service Discovery using ProcessRollup2 events from the Falcon sensor. Filters on process image filenames associated with service enumeration, then applies individual Boolean classification fields (IsScQuery, IsTasklistSvc, IsNetStart, IsWmicService, IsPSGetService) using regex matching against CommandLine. Only events matching at least one technique indicator are surfaced. ParentBaseFileName is included to support suspicious parent process triage.
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike Falcon sensor itself and third-party EDR or AV products that perform service enumeration as part of their own protection telemetry collection or competing-software detection routines
- Scripted endpoint onboarding and imaging workflows run by IT operations teams that verify required services are present, enabled, and running on newly provisioned devices
- Automated disaster recovery and business continuity testing scripts that enumerate and validate critical service states across the endpoint fleet on a scheduled or ad-hoc basis
Other platforms for T1007
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Service Enumeration via sc query
Expected signal: Sysmon Event ID 1: Process Create with Image=sc.exe, CommandLine containing 'query type= all state= all'. Sysmon Event ID 11: File Create for %TEMP%\services_sc.txt. Security Event ID 4688 (if process creation auditing with command line enabled).
- Test 2Service Enumeration via tasklist /svc
Expected signal: Sysmon Event ID 1: Process Create with Image=tasklist.exe, CommandLine containing '/svc'. Sysmon Event ID 11: File Create for %TEMP%\services_tasklist.txt. The output maps service names to hosting process PIDs and executable paths.
- Test 3Service Enumeration via net start with output redirect
Expected signal: Sysmon Event ID 1: Process Create with Image=net.exe (or net1.exe), CommandLine containing 'start'. Sysmon Event ID 11: File Create for %TEMP%\df00tech-services.dat. Security Event ID 4688 if process auditing enabled.
- Test 4WMI Win32_Service Enumeration via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-WmiObject' and 'Win32_Service'. PowerShell ScriptBlock Log Event ID 4104 with full command. WMI Activity Log Event ID 5857 (WMI provider load). No separate child process is created — the WMI query runs in-process.
- Test 5Linux Service Enumeration via systemctl
Expected signal: Auditd execve records for systemctl and service binaries (if auditd configured with execve rules: '-a always,exit -F arch=b64 -S execve'). Sysmon for Linux Event ID 1 (if deployed): Process Create with Image=/usr/bin/systemctl and CommandLine containing 'list-units --type=service'. File creation in /tmp for output files.
References (10)
- https://attack.mitre.org/techniques/T1007/
- https://www.elastic.co/security-labs/under-the-sadbridge-with-gosar
- https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
- https://www.splunk.com/en_us/blog/security/breaking-down-linux-gomir-understanding-this-backdoors-ttps.html
- https://www.aquasec.com/blog/threat-alert-kinsing-malware-container-vulnerability/
- https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/sc-query
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/tasklist
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1007 including response playbook, investigation guide, and atomic red team tests.