Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as
systemctl --type=service, and
Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments that could be taken to gather system information related to services. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
|DS0009||Process||OS API Execution||
Monitor for API calls associated with gathering information about registered local system services, such as QueryServiceStatusEx. Other Windows API calls worth monitoring include EnumServicesStatusExA, which can be used to enumerate services in the service control manager database.
Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary.
Monitor for newly executed processes with arguments that may try to get information about registered services. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). For event id 4688, depending on Windows version, you might need to enable
Analytic 1 - Suspicious Processes