T1057

Process Discovery

Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software and applications running on systems within the network. In Windows environments, adversaries use tools such as tasklist.exe, wmic process, and PowerShell Get-Process to enumerate running processes. On Linux and macOS, the ps command and /proc filesystem are used. ESXi supports ps and esxcli system process list. This technique is frequently used during post-exploitation to identify security tools, determine if analysis environments (sandboxes, AV) are present, find target processes for injection, and shape follow-on actions. Threat actors including Volt Typhoon, Turla, and numerous RAT families (WarzoneRAT, FELIXROOT) perform process discovery as a standard reconnaissance step.

Microsoft Sentinel / Defender

kusto

let ProcessDiscoveryTools = dynamic(["tasklist.exe", "pslist.exe", "proclist.exe", "tlist.exe"]);
let WmicProcessPatterns = dynamic(["process get", "process list", "process where", "win32_process"]);
let SuspiciousParents = dynamic([
  "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
  "mshta.exe", "rundll32.exe", "regsvr32.exe", "msbuild.exe", "installutil.exe",
  "certutil.exe", "bitsadmin.exe", "wmic.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    FileName in~ (ProcessDiscoveryTools)
    or (FileName =~ "wmic.exe" and ProcessCommandLine has_any (WmicProcessPatterns))
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-Process", "get-process", "ps ", "gps ", "Get-WmiObject Win32_Process", "Get-CimInstance Win32_Process", "[System.Diagnostics.Process]::GetProcesses"))
    or (FileName =~ "ps" and InitiatingProcessFileName has_any ("bash", "sh", "zsh", "python", "python3", "perl", "ruby"))
)
| extend IsKnownBadParent = InitiatingProcessFileName has_any (SuspiciousParents)
| extend IsPowerShellDiscovery = FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-Process", "Get-WmiObject Win32_Process", "Get-CimInstance Win32_Process")
| extend IsWmicDiscovery = FileName =~ "wmic.exe" and ProcessCommandLine has_any (WmicProcessPatterns)
| extend IsTasklistExec = FileName in~ (ProcessDiscoveryTools)
| extend HasVerboseFlag = ProcessCommandLine has_any ("/v", "/fo", "/svc", "ExecutablePath", "CommandLine")
| project
    Timestamp, DeviceName, AccountName, AccountDomain,
    FileName, ProcessCommandLine,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    InitiatingProcessParentFileName,
    IsKnownBadParent, IsPowerShellDiscovery, IsWmicDiscovery, IsTasklistExec, HasVerboseFlag
| sort by Timestamp desc

low severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT administrators running tasklist or wmic process get for inventory, troubleshooting, or performance monitoring
Endpoint Detection and Response (EDR) agents, antivirus software, and monitoring tools (Datadog, SolarWinds, Nagios) that periodically enumerate processes as part of their normal operation
Software installers and update mechanisms that check for conflicting processes before installation or during version upgrades
Help desk and remote support tools (TeamViewer, ConnectWise, SolarWinds N-central) that use tasklist or WMI to display running applications to remote support agents
Developer tools, IDEs (Visual Studio, JetBrains), and build pipelines that enumerate processes as part of debugging, profiling, or test orchestration
Vulnerability scanners and asset management platforms running authenticated scans against endpoints

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
| eval Image=lower(Image), CommandLine=lower(CommandLine), ParentImage=lower(ParentImage)
| eval IsTasklist=if(match(Image, "\\\\tasklist\.exe$"), 1, 0)
| eval IsWmicProcess=if(match(Image, "\\\\wmic\.exe$") AND match(CommandLine, "(process\s+get|process\s+list|process\s+where|win32_process)"), 1, 0)
| eval IsPSGetProcess=if((match(Image, "\\\\powershell\.exe$") OR match(Image, "\\\\pwsh\.exe$")) AND match(CommandLine, "(get-process|get-wmiobject\s+win32_process|get-ciminstance\s+win32_process|\[system\.diagnostics\.process\]::getprocesses|gps\s)"), 1, 0)
| eval IsProcessDiscovery=IsTasklist + IsWmicProcess + IsPSGetProcess
| where IsProcessDiscovery > 0
| eval SuspiciousParent=if(match(ParentImage, "(wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msbuild\.exe|installutil\.exe|certutil\.exe|bitsadmin\.exe)"), 1, 0)
| eval VerboseEnum=if(match(CommandLine, "(/v\b|/fo|/svc|executablepath|commandline|caption,executablepath)"), 1, 0)
| eval RiskScore=IsProcessDiscovery + SuspiciousParent + VerboseEnum
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsTasklist, IsWmicProcess, IsPSGetProcess, SuspiciousParent, VerboseEnum, RiskScore
| sort - _time

low severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT administrators running tasklist or wmic process get for inventory, troubleshooting, or performance monitoring
Endpoint Detection and Response (EDR) agents, antivirus software, and monitoring tools that periodically enumerate processes as part of their normal operation
Software installers and update mechanisms that check for conflicting processes before installation
Help desk and remote support tools that use tasklist or WMI to display running applications
Developer tools, IDEs, and build pipelines that enumerate processes during debugging or profiling
Vulnerability scanners and asset management platforms running authenticated scans

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  sourceip AS HostIP,
  username AS UserName,
  "Process Name" AS ProcessName,
  "Command" AS CommandLine,
  "Parent Process Name" AS ParentProcessName,
  CASE
    WHEN LOWER("Process Name") LIKE '%tasklist.exe%' THEN 1
    WHEN LOWER("Process Name") LIKE '%pslist.exe%' THEN 1
    WHEN LOWER("Process Name") LIKE '%proclist.exe%' THEN 1
    WHEN LOWER("Process Name") LIKE '%tlist.exe%' THEN 1
    ELSE 0
  END AS IsTasklist,
  CASE
    WHEN LOWER("Process Name") LIKE '%wmic.exe%'
      AND (LOWER("Command") LIKE '%process get%'
        OR LOWER("Command") LIKE '%process list%'
        OR LOWER("Command") LIKE '%process where%'
        OR LOWER("Command") LIKE '%win32_process%')
    THEN 1 ELSE 0
  END AS IsWmicProcess,
  CASE
    WHEN (LOWER("Process Name") LIKE '%powershell.exe%' OR LOWER("Process Name") LIKE '%pwsh.exe%')
      AND (LOWER("Command") LIKE '%get-process%'
        OR LOWER("Command") LIKE '%get-wmiobject%win32_process%'
        OR LOWER("Command") LIKE '%get-ciminstance%win32_process%'
        OR LOWER("Command") LIKE '%[system.diagnostics.process]::getprocesses%'
        OR LOWER("Command") LIKE '%gps %')
    THEN 1 ELSE 0
  END AS IsPSGetProcess,
  CASE
    WHEN LOWER("Parent Process Name") LIKE '%wscript.exe%'
      OR LOWER("Parent Process Name") LIKE '%cscript.exe%'
      OR LOWER("Parent Process Name") LIKE '%mshta.exe%'
      OR LOWER("Parent Process Name") LIKE '%rundll32.exe%'
      OR LOWER("Parent Process Name") LIKE '%regsvr32.exe%'
      OR LOWER("Parent Process Name") LIKE '%certutil.exe%'
      OR LOWER("Parent Process Name") LIKE '%bitsadmin.exe%'
    THEN 1 ELSE 0
  END AS SuspiciousParent
FROM events
WHERE
  (QIDNAME(qid) LIKE '%Process%Create%' OR eventid = 4688 OR eventid = 1)
  AND (
    LOWER("Process Name") LIKE '%tasklist.exe%'
    OR LOWER("Process Name") LIKE '%pslist.exe%'
    OR LOWER("Process Name") LIKE '%proclist.exe%'
    OR LOWER("Process Name") LIKE '%tlist.exe%'
    OR (
      LOWER("Process Name") LIKE '%wmic.exe%'
      AND (LOWER("Command") LIKE '%process get%'
        OR LOWER("Command") LIKE '%process list%'
        OR LOWER("Command") LIKE '%process where%'
        OR LOWER("Command") LIKE '%win32_process%')
    )
    OR (
      (LOWER("Process Name") LIKE '%powershell.exe%' OR LOWER("Process Name") LIKE '%pwsh.exe%')
      AND (LOWER("Command") LIKE '%get-process%'
        OR LOWER("Command") LIKE '%get-wmiobject%win32_process%'
        OR LOWER("Command") LIKE '%get-ciminstance%win32_process%'
        OR LOWER("Command") LIKE '%[system.diagnostics.process]::getprocesses%')
    )
  )
  AND LAST 24 HOURS
ORDER BY starttime DESC

medium severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Event Log (WinEventLog) Sysmon via Windows DSM Microsoft Windows Security Event Log DSM

Required Tables

events (QRadar normalized event store)

False Positives

Enterprise monitoring agents such as SCOM, Nagios NRPE, or Zabbix agents that enumerate processes for health checks
Software deployment tools (SCCM, Ansible, Chef) that invoke wmic or tasklist to verify installation state
Help desk remote support sessions where analysts use tasklist.exe or PowerShell Get-Process to triage user-reported issues

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
| where (%"EventCode"="1" OR %"EventID"="1" OR %"EventCode"="4688")
| eval ImageLower = toLowerCase(Image)
| eval CommandLineLower = toLowerCase(CommandLine)
| eval ParentImageLower = toLowerCase(ParentImage)
| eval IsTasklist = if(ImageLower matches "*\\tasklist.exe" OR ImageLower matches "*\\pslist.exe" OR ImageLower matches "*\\proclist.exe" OR ImageLower matches "*\\tlist.exe", 1, 0)
| eval IsWmicProcess = if(ImageLower matches "*\\wmic.exe" AND (CommandLineLower matches "*process get*" OR CommandLineLower matches "*process list*" OR CommandLineLower matches "*process where*" OR CommandLineLower matches "*win32_process*"), 1, 0)
| eval IsPSGetProcess = if((ImageLower matches "*\\powershell.exe" OR ImageLower matches "*\\pwsh.exe") AND (CommandLineLower matches "*get-process*" OR CommandLineLower matches "*get-wmiobject*win32_process*" OR CommandLineLower matches "*get-ciminstance*win32_process*" OR CommandLineLower matches "*[system.diagnostics.process]::getprocesses*" OR CommandLineLower matches "*gps *"), 1, 0)
| eval IsProcessDiscovery = IsTasklist + IsWmicProcess + IsPSGetProcess
| where IsProcessDiscovery > 0
| eval SuspiciousParent = if(ParentImageLower matches "*(wscript.exe|cscript.exe|mshta.exe|rundll32.exe|regsvr32.exe|msbuild.exe|installutil.exe|certutil.exe|bitsadmin.exe)*", 1, 0)
| eval VerboseEnum = if(CommandLineLower matches "*(/v |/fo |/svc |executablepath|commandline|caption,executablepath)*", 1, 0)
| eval RiskScore = IsProcessDiscovery + SuspiciousParent + VerboseEnum
| fields _time, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, IsTasklist, IsWmicProcess, IsPSGetProcess, SuspiciousParent, VerboseEnum, RiskScore
| sort by _time desc

medium severity high confidence

Data Sources

Sumo Logic Cloud SIEM Sumo Logic Installed Collector (Windows) Sysmon for Windows Windows Security Event Log

Required Tables

_sourceCategory=*windows*sysmon* _sourceCategory=*windows*security*

False Positives

Automated patch management solutions that run tasklist.exe pre/post-patch to confirm process states
Security operations teams running ad-hoc PowerShell Get-Process commands during incident triage
Application performance monitoring agents using wmic or PowerShell to collect process metrics for dashboards

Google Chronicle / SecOps

yaral

rule t1057_process_discovery {
  meta:
    author = "Detection Engineering"
    description = "Detects T1057 Process Discovery via tasklist, wmic process enumeration, PowerShell Get-Process, and ps spawned from scripting interpreters"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1057"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1057/"
    severity = "MEDIUM"
    priority = "MEDIUM"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    (
      re.regex($e.target.process.file.full_path, `(?i)(tasklist\.exe|pslist\.exe|proclist\.exe|tlist\.exe)$`)
      or (
        re.regex($e.target.process.file.full_path, `(?i)wmic\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(process\s+get|process\s+list|process\s+where|win32_process)`)
      )
      or (
        re.regex($e.target.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe)$`)
        and re.regex($e.target.process.command_line, `(?i)(get-process|get-wmiobject\s+win32_process|get-ciminstance\s+win32_process|\[system\.diagnostics\.process\]::getprocesses|gps\s)`)
      )
      or (
        $e.target.process.file.full_path = "/usr/bin/ps"
        and re.regex($e.principal.process.file.full_path, `(?i)(bash|sh|zsh|python3?|perl|ruby)`)
      )
    )

  match:
    $hostname over 5m

  outcome:
    $risk_score = max(
      if(
        re.regex($e.principal.process.file.full_path,
          `(?i)(wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msbuild\.exe|installutil\.exe|certutil\.exe|bitsadmin\.exe)`
        ), 50, 10
      )
    )
    $suspicious_parent = max(
      if(
        re.regex($e.principal.process.file.full_path,
          `(?i)(wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msbuild\.exe|installutil\.exe|certutil\.exe|bitsadmin\.exe)`
        ), 1, 0
      )
    )
    $verbose_enum = max(
      if(
        re.regex($e.target.process.command_line, `(?i)(\/v\b|\/fo|\/svc|executablepath|commandline)`),
        1, 0
      )
    )
    $discovery_count = count_distinct($e.target.process.file.full_path)

  condition:
    $e
}

medium severity high confidence

Data Sources

Google Chronicle SIEM Chronicle Unified Data Model (UDM) Windows Event Log ingested via Chronicle forwarder Sysmon via Chronicle Windows sensor CrowdStrike Falcon via Chronicle integration

Required Tables

UDM events (PROCESS_LAUNCH event type)

False Positives

IT asset management platforms performing scheduled process inventory collection across the enterprise
Vulnerability scanners that spawn PowerShell or wmic to enumerate running processes as part of authenticated scans
Container orchestration health probes or sidecar agents that regularly enumerate host processes for resource accounting

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| eval ImageLower = lower(ImageFileName)
| eval CommandLineLower = lower(CommandLine)
| eval ParentImageLower = lower(ParentBaseFileName)
| eval IsTasklist = if(
    match(field=ImageLower, regex="(tasklist|pslist|proclist|tlist)\\.exe$"),
    1, 0)
| eval IsWmicProcess = if(
    match(field=ImageLower, regex="wmic\\.exe$")
    AND match(field=CommandLineLower, regex="(process\\s+get|process\\s+list|process\\s+where|win32_process)"),
    1, 0)
| eval IsPSGetProcess = if(
    match(field=ImageLower, regex="(powershell|pwsh)\\.exe$")
    AND match(field=CommandLineLower, regex="(get-process|get-wmiobject.+win32_process|get-ciminstance.+win32_process|\\[system\\.diagnostics\\.process\\]::getprocesses|gps\\s)"),
    1, 0)
| eval IsProcessDiscovery = IsTasklist + IsWmicProcess + IsPSGetProcess
| where IsProcessDiscovery > 0
| eval IsSuspiciousParent = if(
    match(field=ParentImageLower, regex="(wscript|cscript|mshta|rundll32|regsvr32|msbuild|installutil|certutil|bitsadmin)\\.exe"),
    1, 0)
| eval IsVerboseEnum = if(
    match(field=CommandLineLower, regex="(\\/v\\b|\\/fo|\\/svc|executablepath|commandline)"),
    1, 0)
| eval RiskScore = IsTasklist + IsWmicProcess + IsPSGetProcess + IsSuspiciousParent + IsVerboseEnum
| table
    @timestamp,
    ComputerName,
    UserName,
    ImageFileName,
    CommandLine,
    ParentBaseFileName,
    ParentCommandLine,
    IsTasklist,
    IsWmicProcess,
    IsPSGetProcess,
    IsSuspiciousParent,
    IsVerboseEnum,
    RiskScore
| sort type=string asc @timestamp

medium severity high confidence

Data Sources

CrowdStrike Falcon Platform CrowdStrike Falcon LogScale (Humio) Falcon sensor ProcessRollup2 events

Required Tables

ProcessRollup2 (Falcon event stream)

False Positives

CrowdStrike Falcon RTR (Real Time Response) sessions where analysts run tasklist or PowerShell Get-Process during active investigations
Enterprise endpoint management tools (Tanium, BigFix) that execute wmic or PowerShell process queries for compliance reporting
Developer workstations running PowerShell scripts that include Get-Process to check for conflicting services before builds or deployments

Last updated: 2026-04-16 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1057 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Process Discovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Discovery

Popular Detections