Detect System Service Discovery in IBM QRadar
Adversaries may try to gather information about registered local system services to shape follow-on behaviors. Common techniques include using sc query, tasklist /svc, net start, systemctl --type=service, and WMI queries (win32_service) to enumerate running and installed services. This reconnaissance helps adversaries identify security products to disable, lateral movement opportunities via vulnerable services, and persistence mechanisms already in place. Malware families including Ursnif, Kwampirs, Comnie, Elise, and SLOTHFULMEDIA all leverage service enumeration as part of their post-compromise discovery phase.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1007 System Service Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1007/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
sourceip AS SourceHost,
username AS Username,
"Process Name" AS ProcessImage,
"Command" AS CommandLine,
"Parent Process Name" AS ParentProcess,
QIDNAME(qid) AS EventName,
LOGSOURCETYPENAME(devicetype) AS LogSourceType
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
AND QIDNAME(qid) ILIKE '%process%create%'
AND (
(
LOWER("Process Name") LIKE '%\\sc.exe'
AND (
LOWER("Command") LIKE '%query%'
OR LOWER("Command") LIKE '% q %'
OR LOWER("Command") LIKE '% qc %'
)
)
OR (
LOWER("Process Name") LIKE '%\\tasklist.exe'
AND LOWER("Command") LIKE '%/svc%'
)
OR (
(LOWER("Process Name") LIKE '%\\net.exe' OR LOWER("Process Name") LIKE '%\\net1.exe')
AND LOWER("Command") LIKE '%start%'
)
OR (
LOWER("Process Name") LIKE '%\\wmic.exe'
AND (
LOWER("Command") LIKE '%win32_service%'
OR LOWER("Command") LIKE '%service get%'
OR LOWER("Command") LIKE '%service list%'
)
)
OR (
(LOWER("Process Name") LIKE '%\\powershell.exe' OR LOWER("Process Name") LIKE '%\\pwsh.exe')
AND (
LOWER("Command") LIKE '%get-service%'
OR LOWER("Command") LIKE '%win32_service%'
)
)
)
LAST 24 HOURSQRadar AQL detection for T1007 System Service Discovery querying the events store for Sysmon Process Create records. Matches process image paths against known service enumeration binaries and filters on command-line arguments associated with sc.exe query, tasklist /svc, net start, wmic win32_service, and PowerShell Get-Service. Requires Sysmon DSM deployed and parsing Process Name and Command fields.
Data Sources
Required Tables
False Positives & Tuning
- Helpdesk and IT support staff running sc.exe or net start from interactive sessions to diagnose service failures on user workstations
- Automated IT operations platforms (ServiceNow Discovery, Tanium, BigFix) that regularly poll service inventory across the fleet as part of asset management
- Vulnerability management and compliance scanners (Tenable Nessus, Qualys, CIS-CAT) that enumerate installed services as part of configuration baseline audits
Other platforms for T1007
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Service Enumeration via sc query
Expected signal: Sysmon Event ID 1: Process Create with Image=sc.exe, CommandLine containing 'query type= all state= all'. Sysmon Event ID 11: File Create for %TEMP%\services_sc.txt. Security Event ID 4688 (if process creation auditing with command line enabled).
- Test 2Service Enumeration via tasklist /svc
Expected signal: Sysmon Event ID 1: Process Create with Image=tasklist.exe, CommandLine containing '/svc'. Sysmon Event ID 11: File Create for %TEMP%\services_tasklist.txt. The output maps service names to hosting process PIDs and executable paths.
- Test 3Service Enumeration via net start with output redirect
Expected signal: Sysmon Event ID 1: Process Create with Image=net.exe (or net1.exe), CommandLine containing 'start'. Sysmon Event ID 11: File Create for %TEMP%\df00tech-services.dat. Security Event ID 4688 if process auditing enabled.
- Test 4WMI Win32_Service Enumeration via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-WmiObject' and 'Win32_Service'. PowerShell ScriptBlock Log Event ID 4104 with full command. WMI Activity Log Event ID 5857 (WMI provider load). No separate child process is created — the WMI query runs in-process.
- Test 5Linux Service Enumeration via systemctl
Expected signal: Auditd execve records for systemctl and service binaries (if auditd configured with execve rules: '-a always,exit -F arch=b64 -S execve'). Sysmon for Linux Event ID 1 (if deployed): Process Create with Image=/usr/bin/systemctl and CommandLine containing 'list-units --type=service'. File creation in /tmp for output files.
References (10)
- https://attack.mitre.org/techniques/T1007/
- https://www.elastic.co/security-labs/under-the-sadbridge-with-gosar
- https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
- https://www.splunk.com/en_us/blog/security/breaking-down-linux-gomir-understanding-this-backdoors-ttps.html
- https://www.aquasec.com/blog/threat-alert-kinsing-malware-container-vulnerability/
- https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/sc-query
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/tasklist
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1007 including response playbook, investigation guide, and atomic red team tests.