Technique on mitre.org

T1057: Process Discovery

Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

In Windows environments, adversaries could obtain details on running processes using the Tasklist utility via cmd or Get-Process via PowerShell. Information about processes can also be extracted from the output of Native API calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.

On network devices, Network Device CLI commands such as show processes can be used to display current running processes.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

unix_mitre_attck_discovery: PT-CR-1688: Unix_Process_Discovery: Information about running processes was received unix_mitre_attck_discovery: PT-CR-480: Unix_Local_Mass_Recon: A large number of reconnaissance commands were executed. Possible automated reconnaissance. mitre_attck_discovery: PT-CR-2117: Windows_Mass_Recon: Large number of reconnaissance-related actions on a host mitre_attck_discovery: PT-CR-328: Process_Discovery: An attempt to retrieve a list of processes running in the system

Detection

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments for actions that may attempt to get information about running processes on a system.

ID	DS0009	Data source and component	Process: OS API Execution	Description	Monitor for API calls may attempt to get information about running processes on a system.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for newly executed processes that may attempt to get information about running processes on a system. To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment. Because these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white- or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically. Within the built-in Windows Commands: hostname ipconfig net quser qwinsta sc with flags query, queryex, qc systeminfo tasklist dsquery whoami Note: To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment. Analytic 1 - Host Discovery Commands (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (Image="C:\Windows\\hostname.exe" OR Image="C:\Windows\\ipconfig.exe" OR Image="C:\Windows\\net.exe" OR Image="C:\Windows\\quser.exe" OR Image="C:\Windows\\qwinsta.exe" OR (Image="C:\Windows\\sc.exe" AND (CommandLine="* query " OR CommandLine=" qc ")) OR Image="C:\Windows\\systeminfo.exe" OR Image="C:\Windows\\tasklist.exe" OR Image="C:\Windows\\whoami.exe")\|stats values(Image) as "Images" values(CommandLine) as "Command Lines" by ComputerName

ID	Data source and component	Description
DS0017	Command: Command Execution	Monitor executed commands and arguments for actions that may attempt to get information about running processes on a system.
DS0009	Process: OS API Execution	Monitor for API calls may attempt to get information about running processes on a system.
DS0009	Process: Process Creation	Monitor for newly executed processes that may attempt to get information about running processes on a system. To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment. Because these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white- or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically. Within the built-in Windows Commands: hostname ipconfig net quser qwinsta sc with flags query, queryex, qc systeminfo tasklist dsquery whoami Note: To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment. Analytic 1 - Host Discovery Commands (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (Image="C:\Windows\\hostname.exe" OR Image="C:\Windows\\ipconfig.exe" OR Image="C:\Windows\\net.exe" OR Image="C:\Windows\\quser.exe" OR Image="C:\Windows\\qwinsta.exe" OR (Image="C:\Windows\\sc.exe" AND (CommandLine="* query " OR CommandLine=" qc ")) OR Image="C:\Windows\\systeminfo.exe" OR Image="C:\Windows\\tasklist.exe" OR Image="C:\Windows\\whoami.exe")\|stats values(Image) as "Images" values(CommandLine) as "Command Lines" by ComputerName