T1007 - System Service Discovery
Tactics:
Discovery
Discovery
Platforms:
Linux macOS Windows
Linux macOS Windows
Detection:
Not specified
Not specified
Description:
Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>. Adversaries may also gather information about schedule tasks via commands such as `schtasks` on Windows or `crontab -l` on Linux and macOS.(Citation: Elastic Security Labs GOSAR 2024)(Citation: SentinelLabs macOS Malware 2021)(Citation: Splunk Linux Gormir 2024)(Citation: Aquasec Kinsing 2020)
Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Used by Actors (14)
Malware (20)
TrickBot other
SynAck other
Sardonic other
Emissary other
Ursnif other
ZLib other
GeminiDuke other
GravityRAT other
Medusa Ransomware other
RainyDay other
GreyEnergy other
PUBLOAD other
SombRAT other
InvisiMole other
Volgmer other
WINERACK other
HyperBro other
DarkTortilla other
Babuk other
Dyre other
Metadata
| MITRE ID: | T1007 |
| STIX ID: | attack-pattern--322bad5a-1c49-... |
| Platforms: | Linux, macOS, Windows |
| Created: | 13/01/2026 17:48 |
| Updated: | 06/03/2026 16:00 |