Which SIEM platforms have a T1007 detection rule?

df00tech provides T1007 (System Service Discovery) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect System Service Discovery (T1007)?

Detecting System Service Discovery requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1007 detection?

The T1007 detection is rated low severity with medium confidence.

What are common false positives for T1007?

Common false positives for T1007 include: System administrators and IT staff routinely run sc query, net start, and tasklist /svc for legitimate troubleshooting and monitoring; Remote management and monitoring (RMM) tools such as ConnectWise, Datto, N-able, and Kaseya execute service enumeration as part of inventory collection; Software installation and configuration management tools (SCCM, Ansible, Puppet, Chef) query services to verify installation state.

T1007 Sumo Logic CSE · Sumo

Detect System Service Discovery in Sumo Logic CSE

Adversaries may try to gather information about registered local system services to shape follow-on behaviors. Common techniques include using sc query, tasklist /svc, net start, systemctl --type=service, and WMI queries (win32_service) to enumerate running and installed services. This reconnaissance helps adversaries identify security products to disable, lateral movement opportunities via vulnerable services, and persistence mechanisms already in place. Malware families including Ursnif, Kwampirs, Comnie, Elise, and SLOTHFULMEDIA all leverage service enumeration as part of their post-compromise discovery phase.

MITRE ATT&CK

Tactic: Discovery
Technique: T1007 System Service Discovery
Canonical reference: https://attack.mitre.org/techniques/T1007/

Sumo Detection Query

Sumo Logic CSE (Sumo)

sql

(_sourceCategory=*windows*sysmon* OR _sourceCategory=*sysmon*)
| where EventCode = "1"
| where (
    (Image matches "*\\sc.exe" AND (CommandLine contains "query" OR CommandLine contains " q " OR CommandLine contains " qc "))
    OR (Image matches "*\\tasklist.exe" AND toLowerCase(CommandLine) contains "/svc")
    OR ((Image matches "*\\net.exe" OR Image matches "*\\net1.exe") AND toLowerCase(CommandLine) contains "start")
    OR (Image matches "*\\wmic.exe" AND (toLowerCase(CommandLine) contains "win32_service" OR toLowerCase(CommandLine) contains "service get" OR toLowerCase(CommandLine) contains "service list"))
    OR ((Image matches "*\\powershell.exe" OR Image matches "*\\pwsh.exe") AND (toLowerCase(CommandLine) contains "get-service" OR toLowerCase(CommandLine) contains "win32_service"))
  )
| eval IsScQuery = if(Image matches "*\\sc.exe" AND (CommandLine contains "query" OR CommandLine contains " q " OR CommandLine contains " qc "), 1, 0)
| eval IsTasklistSvc = if(Image matches "*\\tasklist.exe" AND toLowerCase(CommandLine) contains "/svc", 1, 0)
| eval IsNetStart = if((Image matches "*\\net.exe" OR Image matches "*\\net1.exe") AND toLowerCase(CommandLine) contains "start", 1, 0)
| eval IsWmicService = if(Image matches "*\\wmic.exe" AND (toLowerCase(CommandLine) contains "win32_service" OR toLowerCase(CommandLine) contains "service get" OR toLowerCase(CommandLine) contains "service list"), 1, 0)
| eval IsPSGetService = if((Image matches "*\\powershell.exe" OR Image matches "*\\pwsh.exe") AND (toLowerCase(CommandLine) contains "get-service" OR toLowerCase(CommandLine) contains "win32_service"), 1, 0)
| eval DiscoveryScore = IsScQuery + IsTasklistSvc + IsNetStart + IsWmicService + IsPSGetService
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, IsScQuery, IsTasklistSvc, IsNetStart, IsWmicService, IsPSGetService, DiscoveryScore
| sort by _messageTime desc

medium severity high confidence

Sumo Logic detection for T1007 System Service Discovery using Sysmon EventCode 1 (Process Create) ingested via the Sysmon source category. Matches service enumeration binaries and command-line patterns, then classifies each match with individual Boolean flags and a cumulative DiscoveryScore. Higher scores indicate broader enumeration activity characteristic of automated post-compromise discovery.

Data Sources

Sumo Logic Cloud SIEMSysmon for Windows via Sumo Logic Installed CollectorWindows Event Log Collector

Required Tables

_sourceCategory=*windows*sysmon*

False Positives & Tuning

DevOps and infrastructure-as-code pipelines (GitHub Actions, GitLab CI, Jenkins) that call net start or sc query to verify service prerequisites before application deployment steps
Remote monitoring and management agents (ConnectWise Automate, Kaseya VSA, NinjaRMM) that collect Windows service inventory from managed endpoints on a scheduled basis
Antivirus and endpoint protection products that invoke WMI or PowerShell Get-Service during installation to detect conflicting security software or validate required services

Download portable Sigma rule (.yml)

Other platforms for T1007

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Service Enumeration via sc query
Expected signal: Sysmon Event ID 1: Process Create with Image=sc.exe, CommandLine containing 'query type= all state= all'. Sysmon Event ID 11: File Create for %TEMP%\services_sc.txt. Security Event ID 4688 (if process creation auditing with command line enabled).
Test 2Service Enumeration via tasklist /svc
Expected signal: Sysmon Event ID 1: Process Create with Image=tasklist.exe, CommandLine containing '/svc'. Sysmon Event ID 11: File Create for %TEMP%\services_tasklist.txt. The output maps service names to hosting process PIDs and executable paths.
Test 3Service Enumeration via net start with output redirect
Expected signal: Sysmon Event ID 1: Process Create with Image=net.exe (or net1.exe), CommandLine containing 'start'. Sysmon Event ID 11: File Create for %TEMP%\df00tech-services.dat. Security Event ID 4688 if process auditing enabled.
Test 4WMI Win32_Service Enumeration via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-WmiObject' and 'Win32_Service'. PowerShell ScriptBlock Log Event ID 4104 with full command. WMI Activity Log Event ID 5857 (WMI provider load). No separate child process is created — the WMI query runs in-process.
Test 5Linux Service Enumeration via systemctl
Expected signal: Auditd execve records for systemctl and service binaries (if auditd configured with execve rules: '-a always,exit -F arch=b64 -S execve'). Sysmon for Linux Event ID 1 (if deployed): Process Create with Image=/usr/bin/systemctl and CommandLine containing 'list-units --type=service'. File creation in /tmp for output files.

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect System Service Discovery in Sumo Logic CSE

MITRE ATT&CK

Sumo Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1007

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Discovery

Popular Detections

MITRE ATT&CK

Sumo Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1007

Testing Methodology

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox