Detect System Service Discovery in Microsoft Sentinel
Adversaries may try to gather information about registered local system services to shape follow-on behaviors. Common techniques include using sc query, tasklist /svc, net start, systemctl --type=service, and WMI queries (win32_service) to enumerate running and installed services. This reconnaissance helps adversaries identify security products to disable, lateral movement opportunities via vulnerable services, and persistence mechanisms already in place. Malware families including Ursnif, Kwampirs, Comnie, Elise, and SLOTHFULMEDIA all leverage service enumeration as part of their post-compromise discovery phase.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1007 System Service Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1007/
KQL Detection Query
let ServiceDiscoveryCommands = dynamic([
"sc query", "sc.exe query",
"tasklist /svc", "tasklist.exe /svc",
"net start", "net1 start",
"win32_service", "Win32_Service",
"Get-Service", "get-service",
"systemctl --type=service", "systemctl list-units",
"service --status-all", "chkconfig --list"
]);
let ServiceDiscoveryBinaries = dynamic([
"sc.exe", "tasklist.exe", "net.exe", "net1.exe", "wmic.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
(FileName in~ (ServiceDiscoveryBinaries) and ProcessCommandLine has_any ("query", "/svc", "start", "win32_service"))
or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-Service", "Win32_Service", "win32_service"))
or (FileName in~ ("wmic.exe") and ProcessCommandLine has_any ("service", "win32_service"))
)
| extend IsScQuery = FileName =~ "sc.exe" and ProcessCommandLine has "query"
| extend IsTasklistSvc = FileName =~ "tasklist.exe" and ProcessCommandLine has "/svc"
| extend IsNetStart = FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine has "start"
| extend IsWmicService = FileName =~ "wmic.exe" and ProcessCommandLine has_any ("service", "win32_service")
| extend IsPSGetService = FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-Service", "Win32_Service")
| extend SuspiciousParent = InitiatingProcessFileName has_any ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "svchost.exe")
and not (InitiatingProcessFileName =~ "svchost.exe" and AccountName =~ "SYSTEM")
| where IsScQuery or IsTasklistSvc or IsNetStart or IsWmicService or IsPSGetService
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
IsScQuery, IsTasklistSvc, IsNetStart, IsWmicService, IsPSGetService, SuspiciousParent
| sort by Timestamp descDetects system service discovery activity using Microsoft Defender for Endpoint DeviceProcessEvents. Monitors sc.exe query, tasklist /svc, net start, wmic win32_service queries, and PowerShell Get-Service calls. Flags processes launched from suspicious parent processes (script interpreters, LOLBins) that would indicate post-compromise reconnaissance rather than routine admin activity. Covers the most common service enumeration techniques observed in Ursnif, Kwampirs, Comnie, Elise, and SLOTHFULMEDIA malware families.
Data Sources
Required Tables
False Positives & Tuning
- System administrators and IT staff routinely run sc query, net start, and tasklist /svc for legitimate troubleshooting and monitoring
- Remote management and monitoring (RMM) tools such as ConnectWise, Datto, N-able, and Kaseya execute service enumeration as part of inventory collection
- Software installation and configuration management tools (SCCM, Ansible, Puppet, Chef) query services to verify installation state
- Vulnerability scanners and compliance tools (Qualys, Tenable, CrowdStrike Spotlight) enumerate services as part of scheduled scans
- Endpoint detection and response (EDR) agents may themselves call WMI win32_service queries during telemetry collection
- Developer tooling and CI/CD pipeline agents querying service states during automated testing
Other platforms for T1007
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Service Enumeration via sc query
Expected signal: Sysmon Event ID 1: Process Create with Image=sc.exe, CommandLine containing 'query type= all state= all'. Sysmon Event ID 11: File Create for %TEMP%\services_sc.txt. Security Event ID 4688 (if process creation auditing with command line enabled).
- Test 2Service Enumeration via tasklist /svc
Expected signal: Sysmon Event ID 1: Process Create with Image=tasklist.exe, CommandLine containing '/svc'. Sysmon Event ID 11: File Create for %TEMP%\services_tasklist.txt. The output maps service names to hosting process PIDs and executable paths.
- Test 3Service Enumeration via net start with output redirect
Expected signal: Sysmon Event ID 1: Process Create with Image=net.exe (or net1.exe), CommandLine containing 'start'. Sysmon Event ID 11: File Create for %TEMP%\df00tech-services.dat. Security Event ID 4688 if process auditing enabled.
- Test 4WMI Win32_Service Enumeration via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-WmiObject' and 'Win32_Service'. PowerShell ScriptBlock Log Event ID 4104 with full command. WMI Activity Log Event ID 5857 (WMI provider load). No separate child process is created — the WMI query runs in-process.
- Test 5Linux Service Enumeration via systemctl
Expected signal: Auditd execve records for systemctl and service binaries (if auditd configured with execve rules: '-a always,exit -F arch=b64 -S execve'). Sysmon for Linux Event ID 1 (if deployed): Process Create with Image=/usr/bin/systemctl and CommandLine containing 'list-units --type=service'. File creation in /tmp for output files.
References (10)
- https://attack.mitre.org/techniques/T1007/
- https://www.elastic.co/security-labs/under-the-sadbridge-with-gosar
- https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
- https://www.splunk.com/en_us/blog/security/breaking-down-linux-gomir-understanding-this-backdoors-ttps.html
- https://www.aquasec.com/blog/threat-alert-kinsing-malware-container-vulnerability/
- https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/sc-query
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/tasklist
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1007 including response playbook, investigation guide, and atomic red team tests.