Windows Services Enumeration
Windows Services Enumeration is a common technique leveraged by advanced Remote Access Trojans (RATs) and Command and Control (C2) frameworks as part of their post-exploitation capabilities.
Service enumeration typically retrieves and displays key information about installed services, such as:
- Display name
- Service name
- Current state (running, stopped, paused, etc.)
- Image path and arguments
This provides the attacker with a direct and simplified overview of the system's active services, helping to quickly identify targets for further exploitation. By analyzing service configurations, attackers can discover paths for privilege escalation or disrupt system stability and user activities (see related techniques).
Service enumeration can be performed using:
- Classic Windows APIs (e.g.,
EnumServicesStatusEx,QueryServiceConfig) - Command-line utilities such as:
sc.exe(Service Control) orwmic.exe(Windows Management Instrumentation Command-line) Get-ServiceandGet-WmiObjectcmdlets in PowerShell- .NET Classes (
System.ServiceProcess)
Enumerating services can reveal potential weaknesses that can be leveraged for further attacks.
Featured Windows APIs
Associated Code Snippets
| Id | Name | Language | Author | Published Date |
|---|---|---|---|---|
| 27 | Enumerate Services via EnumServicesStatus |
 Delphi
|
DarkCoderSc | 1 day, 19 hours ago. |