Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as
systemctl --type=service, and
Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments that could be taken to gather system information related to services. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
|DS0009||Process||OS API Execution||
Monitor for API calls associated with gathering information about registered local system services, such as QueryServiceStatusEx.
Monitor for newly executed processes with arguments that may try to get information about registered services. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.