Description
Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as sc query, tasklist /svc, systemctl --type=service, and net start. Adversaries may also gather information about schedule tasks via commands such as schtasks on Windows or crontab -l on Linux and macOS.(Citation: Elastic Security Labs GOSAR 2024)(Citation: SentinelLabs macOS Malware 2021)(Citation: Splunk Linux Gormir 2024)(Citation: Aquasec Kinsing 2020)
Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Platforms
Threat Groups (15)
| ID | Group | Context |
|---|---|---|
| G0060 | BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used TROJ_GETVERSION to discover system services.(Citation: Trend Micro Tick November 2019) |
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has searched for services such as Alibaba Cloud Security's aliyun service and BMC Helix Cloud Securit... |
| G0119 | Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) has used the win32_service WMI class to retrieve a list of services from the system.(Citation: ... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used <code>sc query</code> on a victim to gather information about services.(Citation: Palo Alto O... |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) surveys a system upon check-in to discover running services and associated processes using the <code>ta... |
| G0143 | Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) has attempted to discover services for third party EDR products.(Citation: CrowdStrike AQUATIC ... |
| G0033 | Poseidon Group | After compromising a victim, [Poseidon Group](https://attack.mitre.org/groups/G0033) discovers all running services.(Citation: Kaspersky Poseidon Grou... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used an instrumentor script to gather the names of all services running on a victim's system.(Cit... |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used <code>net start</code> and <code>net use</code> for system service discovery.(Citation: NCC ... |
| G0004 | Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) performs service discovery using <code>net start</code> commands.(Citation: Mandiant Operation Ke3ch... |
| G1054 | MirrorFace | [MirrorFace](https://attack.mitre.org/groups/G1054) has used [Tasklist](https://attack.mitre.org/software/S0057) for discovery post compromise.(Citati... |
| G1006 | Earth Lusca | [Earth Lusca](https://attack.mitre.org/groups/G1006) has used [Tasklist](https://attack.mitre.org/software/S0057) to obtain information from a comprom... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has used `net start` to list running services.(Citation: CISA AA24-038A PRC Critical Infrastruct... |
| G0018 | admin@338 | [admin@338](https://attack.mitre.org/groups/G0018) actors used the following command following exploitation of a machine with [LOWBALL](https://attack... |
| G0006 | APT1 | [APT1](https://attack.mitre.org/groups/G0006) used the commands <code>net start</code> and <code>tasklist</code> to get a listing of the services on t... |
Associated Software (52)
| ID | Name | Type | Context |
|---|---|---|---|
| S0386 | Ursnif | Malware | [Ursnif](https://attack.mitre.org/software/S0386) has gathered information about running services.(Citation: TrendMicro Ursnif Mar 2015) |
| S0018 | Sykipot | Malware | [Sykipot](https://attack.mitre.org/software/S0018) may use <code>net start</code> to display running services.(Citation: AlienVault Sykipot 2011) |
| S0244 | Comnie | Malware | [Comnie](https://attack.mitre.org/software/S0244) runs the command: <code>net start >> %TEMP%\info.dat</code> on a victim.(Citation: Palo Alto Comnie) |
| S0663 | SysUpdate | Malware | [SysUpdate](https://attack.mitre.org/software/S0663) can collect a list of services on a victim machine.(Citation: Lunghi Iron Tiger Linux) |
| S0039 | Net | Tool | The <code>net start</code> command can be used in [Net](https://attack.mitre.org/software/S0039) to find information about Windows services.(Citation:... |
| S0081 | Elise | Malware | [Elise](https://attack.mitre.org/software/S0081) executes <code>net start</code> after initial communication is made to the remote server.(Citation: L... |
| S0378 | PoshC2 | Tool | [PoshC2](https://attack.mitre.org/software/S0378) can enumerate service and service permission information.(Citation: GitHub PoshC2) |
| S0533 | SLOTHFULMEDIA | Malware | [SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) has the capability to enumerate services.(Citation: CISA MAR SLOTHFULMEDIA October 2020) |
| S1244 | Medusa Ransomware | Malware | [Medusa Ransomware](https://attack.mitre.org/software/S1244) has leveraged an encoded list of services that it designates for termination.(Citation: P... |
| S0236 | Kwampirs | Malware | [Kwampirs](https://attack.mitre.org/software/S0236) collects a list of running services with the command <code>tasklist /svc</code>.(Citation: Symante... |
| S0057 | Tasklist | Tool | [Tasklist](https://attack.mitre.org/software/S0057) can be used to discover services running on a system.(Citation: Microsoft Tasklist) |
| S0283 | jRAT | Malware | [jRAT](https://attack.mitre.org/software/S0283) can list local services.(Citation: Kaspersky Adwind Feb 2016) |
| S0241 | RATANKBA | Malware | [RATANKBA](https://attack.mitre.org/software/S0241) uses <code>tasklist /svc</code> to display running tasks.(Citation: RATANKBA) |
| S0127 | BBSRAT | Malware | [BBSRAT](https://attack.mitre.org/software/S0127) can query service configuration information.(Citation: Palo Alto Networks BBSRAT) |
| S0629 | RainyDay | Malware | [RainyDay](https://attack.mitre.org/software/S0629) can create and register a service for execution.(Citation: Bitdefender Naikon April 2021) |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can enumerate services on compromised hosts.(Citation: Cobalt Strike Manual 4.3 November 2020... |
| S0180 | Volgmer | Malware | [Volgmer](https://attack.mitre.org/software/S0180) queries the system to identify existing services.(Citation: US-CERT Volgmer Nov 2017) |
| S0582 | LookBack | Malware | [LookBack](https://attack.mitre.org/software/S0582) can enumerate services on the victim machine.(Citation: Proofpoint LookBack Malware Aug 2019) |
| S1027 | Heyoka Backdoor | Malware | [Heyoka Backdoor](https://attack.mitre.org/software/S1027) can check if it is running as a service on a compromised host.(Citation: SentinelOne Aoqin ... |
| S1242 | Qilin | Malware | [Qilin](https://attack.mitre.org/software/S1242) can identify specific services for termination or to be left running at execution.(Citation: Trend Mi... |
References
- Gal Singer. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved May 22, 2025.
- Jia Yu Chan, Salim Bitam, Daniel Stepanic, and Seth Goodwin. (2024, December 12). Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite. Retrieved May 22, 2025.
- Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved May 22, 2025.
- Splunk Threat Research Team , Teoderick Contreras. (2024, July 15). Breaking Down Linux.Gomir: Understanding this Backdoor’s TTPs. Retrieved May 22, 2025.
Frequently Asked Questions
What is T1007 (System Service Discovery)?
T1007 is a MITRE ATT&CK technique named 'System Service Discovery'. It belongs to the Discovery tactic(s). Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</c...
How can T1007 be detected?
Detection of T1007 (System Service Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1007?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1007?
Known threat groups using T1007 include: BRONZE BUTLER, TeamTNT, Indrik Spider, OilRig, Turla, Aquatic Panda, Poseidon Group, Kimsuky.