T1057 Google Chronicle · YARA-L

Detect Process Discovery in Google Chronicle

Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software and applications running on systems within the network. In Windows environments, adversaries use tools such as tasklist.exe, wmic process, and PowerShell Get-Process to enumerate running processes. On Linux and macOS, the ps command and /proc filesystem are used. ESXi supports ps and esxcli system process list. This technique is frequently used during post-exploitation to identify security tools, determine if analysis environments (sandboxes, AV) are present, find target processes for injection, and shape follow-on actions. Threat actors including Volt Typhoon, Turla, and numerous RAT families (WarzoneRAT, FELIXROOT) perform process discovery as a standard reconnaissance step.

MITRE ATT&CK

Tactic
Discovery
Technique
T1057 Process Discovery
Canonical reference
https://attack.mitre.org/techniques/T1057/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1057_process_discovery {
  meta:
    author = "Detection Engineering"
    description = "Detects T1057 Process Discovery via tasklist, wmic process enumeration, PowerShell Get-Process, and ps spawned from scripting interpreters"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1057"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1057/"
    severity = "MEDIUM"
    priority = "MEDIUM"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    (
      re.regex($e.target.process.file.full_path, `(?i)(tasklist\.exe|pslist\.exe|proclist\.exe|tlist\.exe)$`)
      or (
        re.regex($e.target.process.file.full_path, `(?i)wmic\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(process\s+get|process\s+list|process\s+where|win32_process)`)
      )
      or (
        re.regex($e.target.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe)$`)
        and re.regex($e.target.process.command_line, `(?i)(get-process|get-wmiobject\s+win32_process|get-ciminstance\s+win32_process|\[system\.diagnostics\.process\]::getprocesses|gps\s)`)
      )
      or (
        $e.target.process.file.full_path = "/usr/bin/ps"
        and re.regex($e.principal.process.file.full_path, `(?i)(bash|sh|zsh|python3?|perl|ruby)`)
      )
    )

  match:
    $hostname over 5m

  outcome:
    $risk_score = max(
      if(
        re.regex($e.principal.process.file.full_path,
          `(?i)(wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msbuild\.exe|installutil\.exe|certutil\.exe|bitsadmin\.exe)`
        ), 50, 10
      )
    )
    $suspicious_parent = max(
      if(
        re.regex($e.principal.process.file.full_path,
          `(?i)(wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msbuild\.exe|installutil\.exe|certutil\.exe|bitsadmin\.exe)`
        ), 1, 0
      )
    )
    $verbose_enum = max(
      if(
        re.regex($e.target.process.command_line, `(?i)(\/v\b|\/fo|\/svc|executablepath|commandline)`),
        1, 0
      )
    )
    $discovery_count = count_distinct($e.target.process.file.full_path)

  condition:
    $e
}
medium severity high confidence

Google Chronicle YARA-L 2.0 rule detecting T1057 Process Discovery via tasklist.exe, pslist.exe, wmic process queries, PowerShell Get-Process/Get-WmiObject Win32_Process, and ps spawned from scripting language interpreters. Aggregates over 5-minute windows per host, computes risk score based on suspicious parent process, and tracks verbose enumeration flags using UDM event model.

Data Sources

Google Chronicle SIEMChronicle Unified Data Model (UDM)Windows Event Log ingested via Chronicle forwarderSysmon via Chronicle Windows sensorCrowdStrike Falcon via Chronicle integration

Required Tables

UDM events (PROCESS_LAUNCH event type)

False Positives & Tuning

  • IT asset management platforms performing scheduled process inventory collection across the enterprise
  • Vulnerability scanners that spawn PowerShell or wmic to enumerate running processes as part of authenticated scans
  • Container orchestration health probes or sidecar agents that regularly enumerate host processes for resource accounting
Download portable Sigma rule (.yml)

Other platforms for T1057

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Tasklist Verbose Process Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=tasklist.exe, CommandLine='tasklist /v /fo csv'. Security Event ID 4688 (if command line auditing enabled). Sysmon Event ID 11: File Create for %TEMP%\proc_list.csv. Parent process will be cmd.exe or the shell running the test.

  2. Test 2WMIC Process Discovery with Executable Path

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'process get' and 'ExecutablePath'. WMI-Activity/Operational Event ID 5857/5861 for WMI query execution. Sysmon Event ID 11: File Create for %TEMP%\wmic_proc.csv.

  3. Test 3PowerShell Process Enumeration via Get-Process

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-Process'. PowerShell ScriptBlock Log Event ID 4104 with full script content. Sysmon Event ID 11: File Create for the CSV output.

  4. Test 4Process Discovery via WMI CIM Instance (PowerShell)

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-CimInstance Win32_Process'. PowerShell ScriptBlock Log Event ID 4104 showing the full query including security product name filter. WMI-Activity/Operational logs for CIM query execution.

  5. Test 5Linux Process Enumeration via ps with Full Detail

    Expected signal: Auditd execve records (if configured with EXECVE audit rules): syscall=execve with argv containing 'ps', 'aux'. Linux syslog/auth.log may capture activity if PAM logging is enabled. On macOS, Unified Log entries with process=ps. Parent process will be the shell (bash/sh/zsh) used to run the test.

Last updated: 2026-04-16 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1057 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1033System Owner/User DiscoveryT1007System Service DiscoveryT1082System Information DiscoveryT1016System Network Configuration DiscoveryT1083File and Directory DiscoveryT1069Permission Groups DiscoveryT1106Native APIT1055Process InjectionT1562.001Disable or Modify ToolsT1059.001PowerShell

Same Tactic: Discovery

Popular Detections