T1057: Process Discovery
Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
In Windows environments, adversaries could obtain details on running processes using the Tasklist utility via cmd or Get-Process
via PowerShell. Information about processes can also be extracted from the output of Native API calls such as CreateToolhelp32Snapshot
. In Mac and Linux, this is accomplished with the ps
command. Adversaries may also opt to enumerate processes via /proc
.
On network devices, Network Device CLI commands such as show processes
can be used to display current running processes.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_discovery: PT-CR-328: Process_Discovery: An attempt to retrieve a list of processes running in the system is detected
unix_mitre_attck_discovery: PT-CR-1688: Unix_Process_Discovery: Information about running processes was received
unix_mitre_attck_discovery: PT-CR-480: Unix_Local_Mass_Recon: A large number of reconnaissance commands were executed. Possible automated reconnaissance.
mitre_attck_discovery: PT-CR-2117: Windows_Mass_Recon: Large number of reconnaissance-related actions on a host
Detection
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly executed processes that may attempt to get information about running processes on a system. To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment. Because these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white- or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically. Within the built-in Windows Commands:
Analytic 1 - Host Discovery Commands
|
---|
ID | DS0009 | Data source and component | Process: OS API Execution | Description | Monitor for API calls may attempt to get information about running processes on a system. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments for actions that may attempt to get information about running processes on a system. |
---|