Home/ATT&CK Technique/Process Discovery
ATT&CK Technique

Process Discovery

T1057 · discovery

Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details.

Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. In Windows environments, adversaries could obtain details on running processes using the Tasklist utility via cmd or Get-Process via PowerShell. Information about processes can also be extracted from the output of Native API calls such as CreateToolhelp32Snapshot.

In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc. ESXi also supports use of the ps command, as well as esxcli system process list.

On network devices, Network Device CLI commands such as show processes can be used to display current running processes.

ESXiLinuxmacOSNetwork DevicesWindows

Actors Using This

14
iranAgrius
russia_speaking_cybercrimeAkira
russia_speaking_cybercrimeALPHV / BlackCat
latin_america_brazilian_organized_cybercrimeAmavaldo
north_koreaAndariel
franceAnimal Farm
unknown_likely_russia_alignedAnubis Ransomware
chinaAoqin Dragon
chinaAPT10
chinaAPT17
chinaAPT1
russiaAPT28
russiaAPT29
chinaAPT31

Atomic Tests

9
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
shlinux, macosProcess Discovery - ps
Utilize ps to identify processes. Upon successful execution, sh will execute ps and output to /tmp/loot.txt. 
ps >> #{output_file}
ps aux >> #{output_file}
command_promptwindowsProcess Discovery - tasklist
Utilize tasklist to identify processes. Upon successful execution, cmd.exe will execute tasklist.exe to list processes. Output will be via stdout. 
tasklist
powershellwindowsProcess Discovery - Get-Process
Utilize Get-Process PowerShell cmdlet to identify processes. Upon successful execution, powershell.exe will execute Get-Process to list processes. Output will be via stdout. 
Get-Process
powershellwindowsProcess Discovery - get-wmiObject
Utilize get-wmiObject PowerShell cmdlet to identify processes. Upon successful execution, powershell.exe will execute get-wmiObject to list processes. Output will be via stdout. 
get-wmiObject -class Win32_Process
command_promptwindowsProcess Discovery - wmic process
Utilize windows management instrumentation to identify processes. Upon successful execution, WMIC will execute process to list processes. Output will be via stdout. 
wmic process get /format:list
command_promptwindowsDiscover Specific Process - tasklist
Adversaries may use command line tools to discover specific processes in preparation of further attacks. Examples of this could be discovering the PID of lsass.exe to dump its memory or discovering whether specific security processes (e.g. AV or EDR) are running. 
tasklist | findstr #{process_to_enumerate}
powershellelevatedwindowsProcess Discovery - Process Hacker
Process Hacker can be exploited to infiltrate system processes, identify weak points, or achieve unauthorized control over systems. However, its malicious use can often be flagged by security defenses, rendering it a perilous tool for illegitimate purposes.
Start-Process -FilePath "$Env:ProgramFiles\Process Hacker 2\#{processhacker_exe}"
powershellelevatedwindowsProcess Discovery - PC Hunter
PC Hunter is a toolkit with access to hundreds of settings including kernels, kernel modules, processes, network, startup, and more. When abused, this tool can allow threat actors to effectively access sensitive processes, collect system information, and terminate security software.
Start-Process -FilePath "C:\Temp\ExternalPayloads\PCHunter_free\#{pchunter64_exe}"
command_promptwindowsLaunch Taskmgr from cmd to View running processes
An adverary may launch taskmgr.exe with the /7 switch via command prompt to view processes running on the system. [Reference](https://github.com/trellix-enterprise/ac3-threat-sightings/blob/main/sightings/Sightings_Conti_Ransomware.yml) 
taskmgr.exe /7

Detection Coverage

2/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 5
Analytics (MITRE CAR) 2
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

CAR Analytics

2
MITRE Cyber Analytics Repository - field-tested detection logic for this technique, written as pseudocode/queries you adapt to your own SIEM (Splunk, Sentinel, EQL). Each is a ready starting point for a detection rule, not just a description.
CAR-2013-04-002Low coverageQuick execution of a series of suspicious commands

Certain commands are frequently used by malicious actors and infrequently used by normal users. By looking for execution of these commands in short periods of time, we can not only see when a malicious user was on the system but also get an idea of what they were doing.

Commands of interest
  • arp.exe.
  • at.exe.
  • attrib.exe.
  • cscript.exe.
  • dsquery.exe.
  • hostname.exe.
  • ipconfig.exe.
  • mimikatz.exe.
  • nbstat.exe.
  • net.exe.
  • netsh.exe.
  • nslookup.exe.
  • ping.exe.
  • quser.exe.
  • qwinsta.exe.
  • reg.exe.
  • runas.exe.
  • sc.exe.
  • schtasks.exe.
  • ssh.exe.
  • systeminfo.exe.
  • taskkill.exe.
  • telnet.exe.
  • tracert.exe.
  • wscript.exe.
  • xcopy.exe ### Output Description The host on which the commands were executed, the time of execution, and what commands were executed.
pseudocode
processes = search Process:Create
reg_processes = filter processes where (exe == "arp.exe" or exe == "at.exe" or exe == "attrib.exe"
 or exe == "cscript.exe" or exe == "dsquery.exe" or exe == "hostname.exe"
 or exe == "ipconfig.exe" or exe == "mimikatz.exe" or exe == "nbstat.exe"
 or exe == "net.exe" or exe == "netsh.exe" or exe == "nslookup.exe"
 or exe == "ping.exe" or exe == "quser.exe" or exe == "qwinsta.exe"
 or exe == "reg.exe" or exe == "runas.exe" or exe == "sc.exe"
 or exe == "schtasks.exe" or exe == "ssh.exe" or exe == "systeminfo.exe"
 or exe == "taskkill.exe" or exe == "telnet.exe" or exe == "tracert.exe"
 or exe == "wscript.exe" or exe == "xcopy.exe")
reg_grouped = group reg by hostname, ppid where(max time between two events is 30 minutes)
output reg_grouped
DNIF
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=regex(arp\.exe|at\.exe|attrib\.exe|cscript\.exe|dsquery\.exe|hostname\.exe|ipconfig\.exe|mimikatz.exe|nbstat\.exe|net\.exe|netsh\.exe|nslookup\.exe|ping\.exe|quser\.exe|qwinsta\.exe|reg\.exe|runas\.exe|sc\.exe|schtasks\.exe|ssh\.exe|systeminfo\.exe|taskkill\.exe|telnet\.exe|tracert\.exe|wscript\.exe|xcopy\.exe)i group count_unique $App limit 100
>>_agg count
>>_checkif int_compare Count > 1 include
LogPoint
norm_id=WindowsSysmon event_id=1 image IN ["*\arp.exe", "*\at.exe", "*\attrib.exe", "*\cscript.exe", "*\dsquery.exe", "*\hostname.exe", "*\ipconfig.exe", "*\mimikatz.exe", "*\nbstat.exe", "*\net.exe", "*\netsh.exe", "*\nslookup.exe", "*\ping.exe", "*\quser.exe", "*\qwinsta.exe", "*\reg.exe", "*\runas.exe", "*\sc.exe", "*\schtasks.exe", "*\ssh.exe", "*\systeminfo.exe", "*\taskkill.exe", "*\telnet.exe", "*\tracert.exe", "*\wscript.exe", "*\xcopy.exe"]
| chart count() as cnt by host
| search cnt > 1
CAR-2016-03-001Moderate coverageHost Discovery Commands

When entering on a host for the first time, an adversary may try to discover information about the host. There are several built-in Windows commands that can be used to learn about the software configurations, active users, administrators, and networking configuration. These commands should be monitored to identify when an adversary is learning information about the system and environment.

The information returned may impact choices an adversary can make when establishing persistence, escalating privileges, or moving laterally. Because these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white-or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically.

Within the built-in Windows Commands
  • hostname.
  • ipconfig.
  • net.
  • quser.
  • qwinsta.
  • sc with flags query, queryex, qc.
  • systeminfo.
  • tasklist.
  • dsquery.
  • whoami Note dsquery is only pre-existing on Windows servers.
pseudocode
process = search Process:Create
info_command = filter process where (
 exe == "hostname.exe" or
 exe == "ipconfig.exe" or
 exe == "net.exe" or
 exe == "quser.exe" or
 exe == "qwinsta.exe" or
 exe == "sc" and (command_line match " query" or command_line match " qc")) or
 exe == "systeminfo.exe" or
 exe == "tasklist.exe" or
 exe == "whoami.exe"
)
output info_command
Splunk
index=__your_sysmon_index__ EventCode=1 (Image="C:\\Windows\\*\\hostname.exe" OR Image="C:\\Windows\\*\\ipconfig.exe" OR Image="C:\\Windows\\*\\net.exe" OR Image="C:\\Windows\\*\\quser.exe" OR Image="C:\\Windows\\*\\qwinsta.exe" OR (Image="C:\\Windows\\*\\sc.exe" AND (CommandLine="* query *" OR CommandLine="* qc *")) OR Image="C:\\Windows\\*\\systeminfo.exe" OR Image="C:\\Windows\\*\\tasklist.exe" OR Image="C:\\Windows\\*\\whoami.exe")|stats values(Image) as "Images" values(CommandLine) as "Command Lines" by ComputerName
EQL
process where subtype.create and
  (process_name == "hostname.exe" or process_name == "ipconfig.exe" or process_name == "net.exe" or process_name == "quser.exe" process_name == "qwinsta.exe" or process_name == "systeminfo.exe" or process_name == "tasklist.exe" or process_name == "whoami.exe" or (process_name == "sc.exe" and (command_line == "* query *" or command_line == "* qc *")))
LogPoint
norm_id=WindowsSysmon event_id=1 (image in ["*\hostname.exe", "*\ipconfig.exe", "*\net.exe", "*\quser.exe", "*\qwinsta.exe", "*\systeminfo.exe", "*\tasklist.exe", "*\whoami.exe"] OR (image="*\sc.exe" command IN ["* query *", "* qc *"))

Caldera Emulation

9
MITRE Caldera abilities that emulate this technique - each is an executable action for automated adversary emulation.
collectionwindowsSysInternals PSTool Process Discovery
$ps_url = "https://download.sysinternals.com/files/PSTools.zip";
$download_folder = "C:\Users\Public\";
$staging_folder = "C:\Users\Public\temp";
Start-BitsTransfer -Source $ps_url -Destination $download_folder;
Expand-Archive -LiteralPath $download_folder"PSTools.zip" -DestinationPath $staging_folder;
iex $staging_folder"\pslist.exe" >> $env:LOCALAPPDATA\output.log;
Remove-Item $download_folder"PSTools.zip";
Remove-Item $staging_folder -Recurse
discoverywindowsDiscover injectable process
$owners = @{};
gwmi win32_process |% {$owners[$_.handle] = $_.getowner().user};
$ps = get-process | select processname,Id,@{l="Owner";e={$owners[$_.id.tostring()]}};
$valid = foreach($p in $ps) { if($p.Owner -eq $env:USERNAME -And $p.ProcessName -eq "svchost") {$p} };
$valid | ConvertTo-Json
discoverywindowsFind LSASS
$ps = get-process | select processname,Id;
$valid = foreach($p in $ps) { if($p.ProcessName -eq "lsass") {$p} };
$valid | ConvertTo-Json
discoverydarwin, linux, windowsFind user processes
ps aux | grep #{host.user.name}
discoverywindowsPowerShell Process Enumeration
get-process >> $env:APPDATA\vmtools.log;
cat $env:APPDATA\vmtools.log
discoverywindows, darwin, linuxSystem processes
Get-Process
discoverydarwin, linux, windowsView Processes
ps
discoverylinuxenumerate VMs
acrnctl list
discoverywindowstasklist Process Enumeration
tasklist /m  >> $env:APPDATA\vmtool.log;
cat $env:APPDATA\vmtool.log

Comply & Defend

D3FEND6 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin