MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1057: Process Discovery

Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

In Windows environments, adversaries could obtain details on running processes using the Tasklist utility via cmd or Get-Process via PowerShell. Information about processes can also be extracted from the output of Native API calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.

On network devices, Network Device CLI commands such as show processes can be used to display current running processes.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_discovery: PT-CR-328: Process_Discovery: An attempt to retrieve a list of processes running in the system is detected
unix_mitre_attck_discovery: PT-CR-1688: Unix_Process_Discovery: Information about running processes was received
unix_mitre_attck_discovery: PT-CR-480: Unix_Local_Mass_Recon: A large number of reconnaissance commands were executed. Possible automated reconnaissance.
mitre_attck_discovery: PT-CR-2117: Windows_Mass_Recon: Large number of reconnaissance-related actions on a host

Detection

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for newly executed processes that may attempt to get information about running processes on a system. To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment.

Because these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white- or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically. Within the built-in Windows Commands:

  • hostname
  • ipconfig
  • net
  • quser
  • qwinsta
  • sc with flags query, queryex, qc
  • systeminfo
  • tasklist
  • dsquery
  • whoami Note: To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment.

Analytic 1 - Host Discovery Commands

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (Image="C:\Windows\\hostname.exe" OR Image="C:\Windows\\ipconfig.exe" OR Image="C:\Windows\\net.exe" OR Image="C:\Windows\\quser.exe" OR Image="C:\Windows\\qwinsta.exe" OR (Image="C:\Windows\\sc.exe" AND (CommandLine="* query " OR CommandLine=" qc ")) OR Image="C:\Windows\\systeminfo.exe" OR Image="C:\Windows\\tasklist.exe" OR Image="C:\Windows\\whoami.exe")|stats values(Image) as "Images" values(CommandLine) as "Command Lines" by ComputerName

IDDS0009Data source and componentProcess: OS API ExecutionDescription

Monitor for API calls may attempt to get information about running processes on a system.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments for actions that may attempt to get information about running processes on a system.