Detect System Service Discovery in Splunk
Adversaries may try to gather information about registered local system services to shape follow-on behaviors. Common techniques include using sc query, tasklist /svc, net start, systemctl --type=service, and WMI queries (win32_service) to enumerate running and installed services. This reconnaissance helps adversaries identify security products to disable, lateral movement opportunities via vulnerable services, and persistence mechanisms already in place. Malware families including Ursnif, Kwampirs, Comnie, Elise, and SLOTHFULMEDIA all leverage service enumeration as part of their post-compromise discovery phase.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1007 System Service Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1007/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(
(Image="*\\sc.exe" AND (CommandLine="*query*" OR CommandLine="* q *" OR CommandLine="* qc *"))
OR (Image="*\\tasklist.exe" AND CommandLine="*/svc*")
OR ((Image="*\\net.exe" OR Image="*\\net1.exe") AND (CommandLine="* start*" OR CommandLine="*start *"))
OR (Image="*\\wmic.exe" AND (CommandLine="*win32_service*" OR CommandLine="*service get*" OR CommandLine="*service list*"))
OR ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe") AND (CommandLine="*Get-Service*" OR CommandLine="*get-service*" OR CommandLine="*Win32_Service*"))
)
| eval IsScQuery=if(match(Image, "sc\.exe$") AND match(lower(CommandLine), "query|\s+q\s|\ qc "), 1, 0)
| eval IsTasklistSvc=if(match(Image, "tasklist\.exe$") AND match(lower(CommandLine), "/svc"), 1, 0)
| eval IsNetStart=if(match(Image, "net1?\.exe$") AND match(lower(CommandLine), "start"), 1, 0)
| eval IsWmicService=if(match(Image, "wmic\.exe$") AND match(lower(CommandLine), "win32_service|service get|service list"), 1, 0)
| eval IsPSGetService=if(match(Image, "powershell\.exe$|pwsh\.exe$") AND match(lower(CommandLine), "get-service|win32_service"), 1, 0)
| eval SuspiciousParent=if(match(lower(ParentImage), "wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|bitsadmin\.exe"), 1, 0)
| eval DiscoveryScore=IsScQuery + IsTasklistSvc + IsNetStart + IsWmicService + IsPSGetService
| where DiscoveryScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsScQuery, IsTasklistSvc, IsNetStart, IsWmicService, IsPSGetService, SuspiciousParent, DiscoveryScore
| sort - _timeDetects system service discovery using Sysmon Event ID 1 (Process Creation) logs. Identifies sc.exe query commands, tasklist /svc, net start, wmic win32_service, and PowerShell Get-Service calls. Assigns a discovery score based on matched patterns and flags events spawned from suspicious parent processes (script interpreters, LOLBins). High discovery scores or suspicious parent processes warrant elevated investigation priority.
Data Sources
Required Sourcetypes
False Positives & Tuning
- System administrators and IT staff routinely run sc query, net start, and tasklist /svc for legitimate troubleshooting and monitoring
- Remote management and monitoring (RMM) tools such as ConnectWise, Datto, N-able, and Kaseya execute service enumeration as part of inventory collection
- Software installation and configuration management tools (SCCM, Ansible, Puppet, Chef) query services to verify installation state
- Vulnerability scanners and compliance tools (Qualys, Tenable, CrowdStrike Spotlight) enumerate services as part of scheduled scans
- Endpoint detection and response (EDR) agents may themselves call WMI win32_service queries during telemetry collection
- Developer tooling and CI/CD pipeline agents querying service states during automated testing
Other platforms for T1007
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Service Enumeration via sc query
Expected signal: Sysmon Event ID 1: Process Create with Image=sc.exe, CommandLine containing 'query type= all state= all'. Sysmon Event ID 11: File Create for %TEMP%\services_sc.txt. Security Event ID 4688 (if process creation auditing with command line enabled).
- Test 2Service Enumeration via tasklist /svc
Expected signal: Sysmon Event ID 1: Process Create with Image=tasklist.exe, CommandLine containing '/svc'. Sysmon Event ID 11: File Create for %TEMP%\services_tasklist.txt. The output maps service names to hosting process PIDs and executable paths.
- Test 3Service Enumeration via net start with output redirect
Expected signal: Sysmon Event ID 1: Process Create with Image=net.exe (or net1.exe), CommandLine containing 'start'. Sysmon Event ID 11: File Create for %TEMP%\df00tech-services.dat. Security Event ID 4688 if process auditing enabled.
- Test 4WMI Win32_Service Enumeration via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-WmiObject' and 'Win32_Service'. PowerShell ScriptBlock Log Event ID 4104 with full command. WMI Activity Log Event ID 5857 (WMI provider load). No separate child process is created — the WMI query runs in-process.
- Test 5Linux Service Enumeration via systemctl
Expected signal: Auditd execve records for systemctl and service binaries (if auditd configured with execve rules: '-a always,exit -F arch=b64 -S execve'). Sysmon for Linux Event ID 1 (if deployed): Process Create with Image=/usr/bin/systemctl and CommandLine containing 'list-units --type=service'. File creation in /tmp for output files.
References (10)
- https://attack.mitre.org/techniques/T1007/
- https://www.elastic.co/security-labs/under-the-sadbridge-with-gosar
- https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
- https://www.splunk.com/en_us/blog/security/breaking-down-linux-gomir-understanding-this-backdoors-ttps.html
- https://www.aquasec.com/blog/threat-alert-kinsing-malware-container-vulnerability/
- https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/sc-query
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/tasklist
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1007 including response playbook, investigation guide, and atomic red team tests.