title: System Service Discovery (T1007)
id: df00tech-t1007
status: experimental
description: "Adversaries may try to gather information about registered local system services to shape follow-on behaviors. Common techniques include using sc query, tasklist /svc, net start, systemctl --type=service, and WMI queries (win32_service) to enumerate running and installed services. This reconnaissance helps adversaries identify security products to disable, lateral movement opportunities via vulnerable services, and persistence mechanisms already in place. Malware families including Ursnif, Kwampirs, Comnie, Elise, and SLOTHFULMEDIA all leverage service enumeration as part of their post-compromise discovery phase."
references:
  - https://attack.mitre.org/techniques/T1007/
  - https://df00tech.com/detections/T1007
author: df00tech
date: 2026/04/13
tags:
  - attack.t1007
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "System administrators and IT staff routinely run sc query, net start, and tasklist /svc for legitimate troubleshooting and monitoring"
  - "Remote management and monitoring (RMM) tools such as ConnectWise, Datto, N-able, and Kaseya execute service enumeration as part of inventory collection"
  - "Software installation and configuration management tools (SCCM, Ansible, Puppet, Chef) query services to verify installation state"
  - "Vulnerability scanners and compliance tools (Qualys, Tenable, CrowdStrike Spotlight) enumerate services as part of scheduled scans"
  - Endpoint detection and response (EDR) agents may themselves call WMI win32_service queries during telemetry collection
  - Developer tooling and CI/CD pipeline agents querying service states during automated testing
level: low