DET0483 Detection of System Service Discovery Commands Across OS Platforms

Analytics

Enumeration of services via native CLI tools (e.g., sc query, tasklist /svc, net start) or API calls via PowerShell and WMI.

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Security	EventCode=4688
Command Execution (DC0064)	WinEventLog:PowerShell	EventCode=4103, 4104, 4105, 4106

Field	Description
ProcessName	Can be tuned to specific binaries used for service enumeration (e.g., `sc.exe`, `tasklist.exe`).
CommandLineMatch	Filters for variations like `sc query`, `net start`, `Get-Service`.
ParentProcess	Used to suppress known admin scripts or automation jobs.

Execution of service management commands like systemctl list-units, service --status-all, or direct reading of /etc/init.d.

Data Component	Name	Channel
Process Creation (DC0032)	auditd:EXECVE	execve

Field	Description
CommandPattern	Includes service enumeration commands like `systemctl`, `service`, or custom scripts.
ExecutionUser	Tunable by user context (e.g., root vs. standard user).
TimeWindow	Used for correlation with privilege escalation or lateral movement.

Discovery via launchctl commands, or process enumeration using ps aux | grep com.apple. to identify daemons and services.

Data Component	Name	Channel
Command Execution (DC0064)	macos:unifiedlog	None
Process Creation (DC0032)	macos:osquery	process_events

Field	Description
CommandLineContent	Tune to recognize `launchctl list`, `launchctl print`, or service grep strings.
ProcessParent	Filter known benign automation or MDM agent invocations.