AN1325: Analytic 1325
Enumeration of services via native CLI tools (e.g., `sc query`, `tasklist /svc`, `net start`) or API calls via PowerShell and WMI.
Analyst context for executives and security teams
This analytic concerns Windows service enumeration using built-in command-line tools or API access through PowerShell and WMI. For leaders, the significance is that service inventory discovery can help an intruder understand what security tools, business applications, or privileged services exist before choosing a next action. Because the ATT&CK object provides no detection logic, teams should treat this as a coverage validation topic rather than an assumed alert.
Executive priority
Prioritize this as a SOC and incident-response readiness check for Windows environments. Executives should ask whether the organization can prove it collects enough endpoint and command/script telemetry to distinguish routine administration from unusual service enumeration, especially on sensitive servers and administrator workstations. This also supports audit evidence around monitoring of native tools that are commonly used by both administrators and intruders.
Technical view
Validate visibility for Windows service enumeration performed through native CLI usage such as sc query, tasklist /svc, and net start, as well as service enumeration through PowerShell and WMI API paths. Because no official detection is provided and no tactic or relationship context is supplied, detection engineering should focus on local baselining: user, host role, parent process, frequency, remote execution context, and proximity to other suspicious activity. IR teams should ensure triage playbooks can quickly answer who enumerated services, on which hosts, by what process path, and whether the activity was expected administration.
Likely telemetry
- Windows process creation telemetry with command-line arguments
- PowerShell execution and script block/module logging where enabled
- WMI activity telemetry and relevant Windows event logs
- Endpoint detection and response process, user, host, and parent-process context
- Asset and host-role inventory to separate administrative baselines from unusual activity
Detection direction
- Confirm that process command lines are captured for native Windows utilities used to enumerate services.
- Baseline expected service enumeration by administrators, management tooling, and monitoring platforms to reduce false positives.
- Correlate enumeration with unusual users, non-administrative workstations, sensitive servers, remote execution patterns, or nearby suspicious activity.
- Validate visibility into PowerShell and WMI paths, not only command-line utilities, because the object explicitly includes API-based enumeration.
- Document blind spots where endpoint logging, PowerShell logging, WMI telemetry, or EDR coverage is missing.
Mitigation priorities
- First ensure logging and endpoint coverage are enabled on Windows systems where service visibility matters most.
- Limit administrative access so service enumeration from privileged contexts is attributable and expected.
- Harden and monitor PowerShell and WMI usage according to enterprise policy, with emphasis on accountability and logging.
- Use asset ownership and change-management context to distinguish approved administration from anomalous discovery behavior.
- Feed confirmed gaps into SOC tuning, IR playbooks, and compliance evidence for monitoring of native administrative tools.
Analyst notes and limits
The supplied object is a detection analytic for Windows service enumeration, but it does not include official detection logic, tactics, labels, aliases, or relationship context. The practical value is therefore in validating telemetry and analytic coverage rather than asserting a specific ATT&CK technique chain or adversary behavior beyond the official description.
This take is limited to the official STIX fields and external reference supplied. No active exploitation, attribution, impact, or guaranteed detection coverage can be inferred. Local baselines, host roles, identity context, and endpoint logging configuration are required to determine severity and detection fidelity.
Analytic 1325
Enumeration of services via native CLI tools (e.g., `sc query`, `tasklist /svc`, `net start`) or API calls via PowerShell and WMI.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | fe6f16c5c567… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1325Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.