Esc
System Service Discovery - T1007
(ATT&CK® Technique)
Definition
Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as sc query, tasklist /svc, systemctl --type=service, and net start.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1007["System Service Discovery"] --> |may-invoke| CreateProcess["Create Process"]; class T1007 OffensiveTechniqueNode;
class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess";
click T1007 href "/offensive-technique/attack/T1007/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1007["System Service Discovery"] --> |may-invoke| GetRunningProcesses["Get Running Processes"]; class T1007 OffensiveTechniqueNode;
class GetRunningProcesses ArtifactNode; click GetRunningProcesses href "/dao/artifact/d3f:GetRunningProcesses";
click T1007 href "/offensive-technique/attack/T1007/"; click GetRunningProcesses href "/dao/artifact/d3f:GetRunningProcesses"; SystemCallFiltering["System Call Filtering"] -->
| filters | GetRunningProcesses["Get Running Processes"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1007["System Service Discovery"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class GetRunningProcesses ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; SystemCallFiltering["System Call Filtering"] -->
| filters | CreateProcess["Create Process"];
class SystemCallFiltering DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; SystemCallAnalysis["System Call Analysis"] -->
| analyzes | CreateProcess["Create Process"];
SystemCallAnalysis["System Call Analysis"] -.->
| may-detect | T1007["System Service Discovery"] ;
class SystemCallAnalysis DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; SystemCallAnalysis["System Call Analysis"] -->
| analyzes | GetRunningProcesses["Get Running Processes"];
class SystemCallAnalysis DefensiveTechniqueNode;
class GetRunningProcesses ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| restricts | CreateProcess["Create Process"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| may-isolate | T1007["System Service Discovery"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; ExecutableAllowlisting["Executable Allowlisting"] -->
| filters | CreateProcess["Create Process"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1007["System Service Discovery"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
| filters | CreateProcess["Create Process"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1007["System Service Discovery"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | CreateProcess["Create Process"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| may-detect | T1007["System Service Discovery"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis";