Enumeration of services via native CLI tools (e.g., sc query, tasklist /svc, net start) or API calls via PowerShell and WMI.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4104 |
| Field | Description |
|---|---|
| ProcessName | Can be tuned to specific binaries used for service enumeration (e.g., `sc.exe`, `tasklist.exe`). |
| CommandLineMatch | Filters for variations like `sc query`, `net start`, `Get-Service`. |
| ParentProcess | Used to suppress known admin scripts or automation jobs. |
Execution of service management commands like systemctl list-units, service --status-all, or direct reading of /etc/init.d.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:EXECVE | execve |
| Field | Description |
|---|---|
| CommandPattern | Includes service enumeration commands like `systemctl`, `service`, or custom scripts. |
| ExecutionUser | Tunable by user context (e.g., root vs. standard user). |
| TimeWindow | Used for correlation with privilege escalation or lateral movement. |
Discovery via launchctl commands, or process enumeration using ps aux | grep com.apple. to identify daemons and services.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | None |
| Process Creation (DC0032) | macos:osquery | process_events |
| Field | Description |
|---|---|
| CommandLineContent | Tune to recognize `launchctl list`, `launchctl print`, or service grep strings. |
| ProcessParent | Filter known benign automation or MDM agent invocations. |