Which SIEM platforms have a T1057 detection rule?

df00tech provides T1057 (Process Discovery) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Process Discovery (T1057)?

Detecting Process Discovery requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1057 detection?

The T1057 detection is rated low severity with medium confidence.

What are common false positives for T1057?

Common false positives for T1057 include: IT administrators running tasklist or wmic process get for inventory, troubleshooting, or performance monitoring; Endpoint Detection and Response (EDR) agents, antivirus software, and monitoring tools (Datadog, SolarWinds, Nagios) that periodically enumerate processes as part of their normal operation; Software installers and update mechanisms that check for conflicting processes before installation or during version upgrades.

T1057

Process Discovery

Discovery Last updated: April 16, 2026

Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software and applications running on systems within the network. In Windows environments, adversaries use tools such as tasklist.exe, wmic process, and PowerShell Get-Process to enumerate running processes. On Linux and macOS, the ps command and /proc filesystem are used. ESXi supports ps and esxcli system process list. This technique is frequently used during post-exploitation to identify security tools, determine if analysis environments (sandboxes, AV) are present, find target processes for injection, and shape follow-on actions. Threat actors including Volt Typhoon, Turla, and numerous RAT families (WarzoneRAT, FELIXROOT) perform process discovery as a standard reconnaissance step.

What is T1057 Process Discovery?

Process Discovery (T1057) maps to the Discovery tactic — the adversary is trying to figure out your environment in MITRE ATT&CK.

This page provides production-ready detection logic for Process Discovery, covering the data sources and telemetry it touches: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated low severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Discovery
Technique: T1057 Process Discovery
Canonical reference: https://attack.mitre.org/techniques/T1057/

Microsoft Sentinel / Defender

kusto

let ProcessDiscoveryTools = dynamic(["tasklist.exe", "pslist.exe", "proclist.exe", "tlist.exe"]);
let WmicProcessPatterns = dynamic(["process get", "process list", "process where", "win32_process"]);
let SuspiciousParents = dynamic([
  "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
  "mshta.exe", "rundll32.exe", "regsvr32.exe", "msbuild.exe", "installutil.exe",
  "certutil.exe", "bitsadmin.exe", "wmic.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    FileName in~ (ProcessDiscoveryTools)
    or (FileName =~ "wmic.exe" and ProcessCommandLine has_any (WmicProcessPatterns))
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-Process", "get-process", "ps ", "gps ", "Get-WmiObject Win32_Process", "Get-CimInstance Win32_Process", "[System.Diagnostics.Process]::GetProcesses"))
    or (FileName =~ "ps" and InitiatingProcessFileName has_any ("bash", "sh", "zsh", "python", "python3", "perl", "ruby"))
)
| extend IsKnownBadParent = InitiatingProcessFileName has_any (SuspiciousParents)
| extend IsPowerShellDiscovery = FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-Process", "Get-WmiObject Win32_Process", "Get-CimInstance Win32_Process")
| extend IsWmicDiscovery = FileName =~ "wmic.exe" and ProcessCommandLine has_any (WmicProcessPatterns)
| extend IsTasklistExec = FileName in~ (ProcessDiscoveryTools)
| extend HasVerboseFlag = ProcessCommandLine has_any ("/v", "/fo", "/svc", "ExecutablePath", "CommandLine")
| project
    Timestamp, DeviceName, AccountName, AccountDomain,
    FileName, ProcessCommandLine,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    InitiatingProcessParentFileName,
    IsKnownBadParent, IsPowerShellDiscovery, IsWmicDiscovery, IsTasklistExec, HasVerboseFlag
| sort by Timestamp desc

Detects process discovery activity using Microsoft Defender for Endpoint DeviceProcessEvents. Monitors for execution of tasklist.exe, wmic.exe with Win32_Process queries, PowerShell Get-Process/Get-WmiObject/Get-CimInstance cmdlets, and process enumeration launched from suspicious parent processes. Flags additional context indicators including verbose output flags (/v, /svc, ExecutablePath) that suggest adversaries seeking detailed process information for security tool detection or injection target selection.

low severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT administrators running tasklist or wmic process get for inventory, troubleshooting, or performance monitoring
Endpoint Detection and Response (EDR) agents, antivirus software, and monitoring tools (Datadog, SolarWinds, Nagios) that periodically enumerate processes as part of their normal operation
Software installers and update mechanisms that check for conflicting processes before installation or during version upgrades
Help desk and remote support tools (TeamViewer, ConnectWise, SolarWinds N-central) that use tasklist or WMI to display running applications to remote support agents
Developer tools, IDEs (Visual Studio, JetBrains), and build pipelines that enumerate processes as part of debugging, profiling, or test orchestration
Vulnerability scanners and asset management platforms running authenticated scans against endpoints

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
| eval Image=lower(Image), CommandLine=lower(CommandLine), ParentImage=lower(ParentImage)
| eval IsTasklist=if(match(Image, "\\\\tasklist\.exe$"), 1, 0)
| eval IsWmicProcess=if(match(Image, "\\\\wmic\.exe$") AND match(CommandLine, "(process\s+get|process\s+list|process\s+where|win32_process)"), 1, 0)
| eval IsPSGetProcess=if((match(Image, "\\\\powershell\.exe$") OR match(Image, "\\\\pwsh\.exe$")) AND match(CommandLine, "(get-process|get-wmiobject\s+win32_process|get-ciminstance\s+win32_process|\[system\.diagnostics\.process\]::getprocesses|gps\s)"), 1, 0)
| eval IsProcessDiscovery=IsTasklist + IsWmicProcess + IsPSGetProcess
| where IsProcessDiscovery > 0
| eval SuspiciousParent=if(match(ParentImage, "(wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msbuild\.exe|installutil\.exe|certutil\.exe|bitsadmin\.exe)"), 1, 0)
| eval VerboseEnum=if(match(CommandLine, "(/v\b|/fo|/svc|executablepath|commandline|caption,executablepath)"), 1, 0)
| eval RiskScore=IsProcessDiscovery + SuspiciousParent + VerboseEnum
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsTasklist, IsWmicProcess, IsPSGetProcess, SuspiciousParent, VerboseEnum, RiskScore
| sort - _time

Detects process discovery activity using Sysmon Event ID 1 (Process Creation). Identifies tasklist.exe execution, wmic.exe with Win32_Process queries, and PowerShell Get-Process/Get-WmiObject invocations. Assigns a cumulative risk score based on discovery method, suspicious parent process, and verbose enumeration flags. Events spawned from scripting hosts (wscript.exe, mshta.exe) or LOLBins receive elevated risk scores, helping analysts prioritize post-exploitation activity over routine administrative use.

low severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT administrators running tasklist or wmic process get for inventory, troubleshooting, or performance monitoring
Endpoint Detection and Response (EDR) agents, antivirus software, and monitoring tools that periodically enumerate processes as part of their normal operation
Software installers and update mechanisms that check for conflicting processes before installation
Help desk and remote support tools that use tasklist or WMI to display running applications
Developer tools, IDEs, and build pipelines that enumerate processes during debugging or profiling
Vulnerability scanners and asset management platforms running authenticated scans

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  sourceip AS HostIP,
  username AS UserName,
  "Process Name" AS ProcessName,
  "Command" AS CommandLine,
  "Parent Process Name" AS ParentProcessName,
  CASE
    WHEN LOWER("Process Name") LIKE '%tasklist.exe%' THEN 1
    WHEN LOWER("Process Name") LIKE '%pslist.exe%' THEN 1
    WHEN LOWER("Process Name") LIKE '%proclist.exe%' THEN 1
    WHEN LOWER("Process Name") LIKE '%tlist.exe%' THEN 1
    ELSE 0
  END AS IsTasklist,
  CASE
    WHEN LOWER("Process Name") LIKE '%wmic.exe%'
      AND (LOWER("Command") LIKE '%process get%'
        OR LOWER("Command") LIKE '%process list%'
        OR LOWER("Command") LIKE '%process where%'
        OR LOWER("Command") LIKE '%win32_process%')
    THEN 1 ELSE 0
  END AS IsWmicProcess,
  CASE
    WHEN (LOWER("Process Name") LIKE '%powershell.exe%' OR LOWER("Process Name") LIKE '%pwsh.exe%')
      AND (LOWER("Command") LIKE '%get-process%'
        OR LOWER("Command") LIKE '%get-wmiobject%win32_process%'
        OR LOWER("Command") LIKE '%get-ciminstance%win32_process%'
        OR LOWER("Command") LIKE '%[system.diagnostics.process]::getprocesses%'
        OR LOWER("Command") LIKE '%gps %')
    THEN 1 ELSE 0
  END AS IsPSGetProcess,
  CASE
    WHEN LOWER("Parent Process Name") LIKE '%wscript.exe%'
      OR LOWER("Parent Process Name") LIKE '%cscript.exe%'
      OR LOWER("Parent Process Name") LIKE '%mshta.exe%'
      OR LOWER("Parent Process Name") LIKE '%rundll32.exe%'
      OR LOWER("Parent Process Name") LIKE '%regsvr32.exe%'
      OR LOWER("Parent Process Name") LIKE '%certutil.exe%'
      OR LOWER("Parent Process Name") LIKE '%bitsadmin.exe%'
    THEN 1 ELSE 0
  END AS SuspiciousParent
FROM events
WHERE
  (QIDNAME(qid) LIKE '%Process%Create%' OR eventid = 4688 OR eventid = 1)
  AND (
    LOWER("Process Name") LIKE '%tasklist.exe%'
    OR LOWER("Process Name") LIKE '%pslist.exe%'
    OR LOWER("Process Name") LIKE '%proclist.exe%'
    OR LOWER("Process Name") LIKE '%tlist.exe%'
    OR (
      LOWER("Process Name") LIKE '%wmic.exe%'
      AND (LOWER("Command") LIKE '%process get%'
        OR LOWER("Command") LIKE '%process list%'
        OR LOWER("Command") LIKE '%process where%'
        OR LOWER("Command") LIKE '%win32_process%')
    )
    OR (
      (LOWER("Process Name") LIKE '%powershell.exe%' OR LOWER("Process Name") LIKE '%pwsh.exe%')
      AND (LOWER("Command") LIKE '%get-process%'
        OR LOWER("Command") LIKE '%get-wmiobject%win32_process%'
        OR LOWER("Command") LIKE '%get-ciminstance%win32_process%'
        OR LOWER("Command") LIKE '%[system.diagnostics.process]::getprocesses%')
    )
  )
  AND LAST 24 HOURS
ORDER BY starttime DESC

Detects T1057 Process Discovery in IBM QRadar AQL by querying process creation events (Windows Event ID 4688 and Sysmon Event ID 1) for tasklist.exe, pslist.exe, wmic process enumeration, and PowerShell Get-Process/Win32_Process queries. Calculates per-row flags for process type, suspicious parent, and enriches with log source metadata.

medium severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Event Log (WinEventLog) Sysmon via Windows DSM Microsoft Windows Security Event Log DSM

Required Tables

events (QRadar normalized event store)

False Positives

Enterprise monitoring agents such as SCOM, Nagios NRPE, or Zabbix agents that enumerate processes for health checks
Software deployment tools (SCCM, Ansible, Chef) that invoke wmic or tasklist to verify installation state
Help desk remote support sessions where analysts use tasklist.exe or PowerShell Get-Process to triage user-reported issues

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
| where (%"EventCode"="1" OR %"EventID"="1" OR %"EventCode"="4688")
| eval ImageLower = toLowerCase(Image)
| eval CommandLineLower = toLowerCase(CommandLine)
| eval ParentImageLower = toLowerCase(ParentImage)
| eval IsTasklist = if(ImageLower matches "*\\tasklist.exe" OR ImageLower matches "*\\pslist.exe" OR ImageLower matches "*\\proclist.exe" OR ImageLower matches "*\\tlist.exe", 1, 0)
| eval IsWmicProcess = if(ImageLower matches "*\\wmic.exe" AND (CommandLineLower matches "*process get*" OR CommandLineLower matches "*process list*" OR CommandLineLower matches "*process where*" OR CommandLineLower matches "*win32_process*"), 1, 0)
| eval IsPSGetProcess = if((ImageLower matches "*\\powershell.exe" OR ImageLower matches "*\\pwsh.exe") AND (CommandLineLower matches "*get-process*" OR CommandLineLower matches "*get-wmiobject*win32_process*" OR CommandLineLower matches "*get-ciminstance*win32_process*" OR CommandLineLower matches "*[system.diagnostics.process]::getprocesses*" OR CommandLineLower matches "*gps *"), 1, 0)
| eval IsProcessDiscovery = IsTasklist + IsWmicProcess + IsPSGetProcess
| where IsProcessDiscovery > 0
| eval SuspiciousParent = if(ParentImageLower matches "*(wscript.exe|cscript.exe|mshta.exe|rundll32.exe|regsvr32.exe|msbuild.exe|installutil.exe|certutil.exe|bitsadmin.exe)*", 1, 0)
| eval VerboseEnum = if(CommandLineLower matches "*(/v |/fo |/svc |executablepath|commandline|caption,executablepath)*", 1, 0)
| eval RiskScore = IsProcessDiscovery + SuspiciousParent + VerboseEnum
| fields _time, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, IsTasklist, IsWmicProcess, IsPSGetProcess, SuspiciousParent, VerboseEnum, RiskScore
| sort by _time desc

Detects T1057 Process Discovery in Sumo Logic by parsing Windows Sysmon (Event ID 1) or Security (Event ID 4688) process creation logs. Evaluates process names and command lines for tasklist.exe, wmic process enumeration, and PowerShell Get-Process patterns. Computes a composite risk score based on discovery type, suspicious parent process, and verbose enumeration flags.

medium severity high confidence

Data Sources

Sumo Logic Cloud SIEM Sumo Logic Installed Collector (Windows) Sysmon for Windows Windows Security Event Log

Required Tables

_sourceCategory=*windows*sysmon* _sourceCategory=*windows*security*

False Positives

Automated patch management solutions that run tasklist.exe pre/post-patch to confirm process states
Security operations teams running ad-hoc PowerShell Get-Process commands during incident triage
Application performance monitoring agents using wmic or PowerShell to collect process metrics for dashboards

Google Chronicle / SecOps

yaral

rule t1057_process_discovery {
  meta:
    author = "Detection Engineering"
    description = "Detects T1057 Process Discovery via tasklist, wmic process enumeration, PowerShell Get-Process, and ps spawned from scripting interpreters"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1057"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1057/"
    severity = "MEDIUM"
    priority = "MEDIUM"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    (
      re.regex($e.target.process.file.full_path, `(?i)(tasklist\.exe|pslist\.exe|proclist\.exe|tlist\.exe)$`)
      or (
        re.regex($e.target.process.file.full_path, `(?i)wmic\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(process\s+get|process\s+list|process\s+where|win32_process)`)
      )
      or (
        re.regex($e.target.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe)$`)
        and re.regex($e.target.process.command_line, `(?i)(get-process|get-wmiobject\s+win32_process|get-ciminstance\s+win32_process|\[system\.diagnostics\.process\]::getprocesses|gps\s)`)
      )
      or (
        $e.target.process.file.full_path = "/usr/bin/ps"
        and re.regex($e.principal.process.file.full_path, `(?i)(bash|sh|zsh|python3?|perl|ruby)`)
      )
    )

  match:
    $hostname over 5m

  outcome:
    $risk_score = max(
      if(
        re.regex($e.principal.process.file.full_path,
          `(?i)(wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msbuild\.exe|installutil\.exe|certutil\.exe|bitsadmin\.exe)`
        ), 50, 10
      )
    )
    $suspicious_parent = max(
      if(
        re.regex($e.principal.process.file.full_path,
          `(?i)(wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msbuild\.exe|installutil\.exe|certutil\.exe|bitsadmin\.exe)`
        ), 1, 0
      )
    )
    $verbose_enum = max(
      if(
        re.regex($e.target.process.command_line, `(?i)(\/v\b|\/fo|\/svc|executablepath|commandline)`),
        1, 0
      )
    )
    $discovery_count = count_distinct($e.target.process.file.full_path)

  condition:
    $e
}

Google Chronicle YARA-L 2.0 rule detecting T1057 Process Discovery via tasklist.exe, pslist.exe, wmic process queries, PowerShell Get-Process/Get-WmiObject Win32_Process, and ps spawned from scripting language interpreters. Aggregates over 5-minute windows per host, computes risk score based on suspicious parent process, and tracks verbose enumeration flags using UDM event model.

medium severity high confidence

Data Sources

Google Chronicle SIEM Chronicle Unified Data Model (UDM) Windows Event Log ingested via Chronicle forwarder Sysmon via Chronicle Windows sensor CrowdStrike Falcon via Chronicle integration

Required Tables

UDM events (PROCESS_LAUNCH event type)

False Positives

IT asset management platforms performing scheduled process inventory collection across the enterprise
Vulnerability scanners that spawn PowerShell or wmic to enumerate running processes as part of authenticated scans
Container orchestration health probes or sidecar agents that regularly enumerate host processes for resource accounting

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| eval ImageLower = lower(ImageFileName)
| eval CommandLineLower = lower(CommandLine)
| eval ParentImageLower = lower(ParentBaseFileName)
| eval IsTasklist = if(
    match(field=ImageLower, regex="(tasklist|pslist|proclist|tlist)\\.exe$"),
    1, 0)
| eval IsWmicProcess = if(
    match(field=ImageLower, regex="wmic\\.exe$")
    AND match(field=CommandLineLower, regex="(process\\s+get|process\\s+list|process\\s+where|win32_process)"),
    1, 0)
| eval IsPSGetProcess = if(
    match(field=ImageLower, regex="(powershell|pwsh)\\.exe$")
    AND match(field=CommandLineLower, regex="(get-process|get-wmiobject.+win32_process|get-ciminstance.+win32_process|\\[system\\.diagnostics\\.process\\]::getprocesses|gps\\s)"),
    1, 0)
| eval IsProcessDiscovery = IsTasklist + IsWmicProcess + IsPSGetProcess
| where IsProcessDiscovery > 0
| eval IsSuspiciousParent = if(
    match(field=ParentImageLower, regex="(wscript|cscript|mshta|rundll32|regsvr32|msbuild|installutil|certutil|bitsadmin)\\.exe"),
    1, 0)
| eval IsVerboseEnum = if(
    match(field=CommandLineLower, regex="(\\/v\\b|\\/fo|\\/svc|executablepath|commandline)"),
    1, 0)
| eval RiskScore = IsTasklist + IsWmicProcess + IsPSGetProcess + IsSuspiciousParent + IsVerboseEnum
| table
    @timestamp,
    ComputerName,
    UserName,
    ImageFileName,
    CommandLine,
    ParentBaseFileName,
    ParentCommandLine,
    IsTasklist,
    IsWmicProcess,
    IsPSGetProcess,
    IsSuspiciousParent,
    IsVerboseEnum,
    RiskScore
| sort type=string asc @timestamp

CrowdStrike Falcon LogScale (CQL) detection for T1057 Process Discovery using ProcessRollup2 events from the Falcon sensor. Evaluates ImageFileName and CommandLine for tasklist.exe, pslist.exe, wmic process enumeration, and PowerShell Get-Process/Get-WmiObject Win32_Process patterns. Enriches results with suspicious parent process and verbose enumeration flags and calculates a composite risk score.

medium severity high confidence

Data Sources

CrowdStrike Falcon Platform CrowdStrike Falcon LogScale (Humio) Falcon sensor ProcessRollup2 events

Required Tables

ProcessRollup2 (Falcon event stream)

False Positives

CrowdStrike Falcon RTR (Real Time Response) sessions where analysts run tasklist or PowerShell Get-Process during active investigations
Enterprise endpoint management tools (Tanium, BigFix) that execute wmic or PowerShell process queries for compliance reporting
Developer workstations running PowerShell scripts that include Get-Process to check for conflicting services before builds or deployments

Sigma rule & cross-platform mapping

The detection logic for Process Discovery (T1057) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1057 Sigma rules on detection.fyi

Platform-specific guides for T1057

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-16 Research depth: deep

References (9)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Tasklist Verbose Process Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=tasklist.exe, CommandLine='tasklist /v /fo csv'. Security Event ID 4688 (if command line auditing enabled). Sysmon Event ID 11: File Create for %TEMP%\proc_list.csv. Parent process will be cmd.exe or the shell running the test.
Test 2WMIC Process Discovery with Executable Path
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'process get' and 'ExecutablePath'. WMI-Activity/Operational Event ID 5857/5861 for WMI query execution. Sysmon Event ID 11: File Create for %TEMP%\wmic_proc.csv.
Test 3PowerShell Process Enumeration via Get-Process
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-Process'. PowerShell ScriptBlock Log Event ID 4104 with full script content. Sysmon Event ID 11: File Create for the CSV output.
Test 4Process Discovery via WMI CIM Instance (PowerShell)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-CimInstance Win32_Process'. PowerShell ScriptBlock Log Event ID 4104 showing the full query including security product name filter. WMI-Activity/Operational logs for CIM query execution.
Test 5Linux Process Enumeration via ps with Full Detail
Expected signal: Auditd execve records (if configured with EXECVE audit rules): syscall=execve with argv containing 'ps', 'aux'. Linux syslog/auth.log may capture activity if PAM logging is enabled. On macOS, Unified Log entries with process=ps. Parent process will be the shell (bash/sh/zsh) used to run the test.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1057 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Process Discovery

What is T1057 Process Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1057

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Discovery

Popular Detections

What is T1057 Process Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1057

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox