Detect Process Discovery in Elastic Security
Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software and applications running on systems within the network. In Windows environments, adversaries use tools such as tasklist.exe, wmic process, and PowerShell Get-Process to enumerate running processes. On Linux and macOS, the ps command and /proc filesystem are used. ESXi supports ps and esxcli system process list. This technique is frequently used during post-exploitation to identify security tools, determine if analysis environments (sandboxes, AV) are present, find target processes for injection, and shape follow-on actions. Threat actors including Volt Typhoon, Turla, and numerous RAT families (WarzoneRAT, FELIXROOT) perform process discovery as a standard reconnaissance step.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1057 Process Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1057/
Elastic Detection Query
process where event.type == "start" and (
process.name : ("tasklist.exe", "pslist.exe", "proclist.exe", "tlist.exe")
or (
process.name : "wmic.exe" and
process.command_line : ("*process get*", "*process list*", "*process where*", "*win32_process*")
)
or (
process.name : ("powershell.exe", "pwsh.exe") and
process.command_line : (
"*Get-Process*", "*get-process*", "*gps *",
"*Get-WmiObject*Win32_Process*", "*Get-CimInstance*Win32_Process*",
"*[System.Diagnostics.Process]::GetProcesses*"
)
)
or (
process.name == "ps" and
process.parent.name : ("bash", "sh", "zsh", "python", "python3", "perl", "ruby")
)
)
| eval suspicious_parent = process.parent.name : ("cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "msbuild.exe", "installutil.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe")
| eval verbose_enum = process.command_line : ("*/v*", "*/fo*", "*/svc*", "*ExecutablePath*", "*CommandLine*")Detects T1057 Process Discovery via tasklist.exe, pslist.exe, wmic process enumeration, PowerShell Get-Process/Get-WmiObject Win32_Process, and ps invoked from scripting interpreters. Enriches with suspicious parent process and verbose enumeration flags using Elastic Common Schema (ECS) fields.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators running scheduled inventory or patch management tools that invoke tasklist.exe or wmic process queries
- Security products (EDR, AV) that enumerate running processes as part of normal telemetry collection
- Legitimate PowerShell scripts in CI/CD pipelines or deployment automation using Get-Process to check service health
Other platforms for T1057
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Tasklist Verbose Process Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=tasklist.exe, CommandLine='tasklist /v /fo csv'. Security Event ID 4688 (if command line auditing enabled). Sysmon Event ID 11: File Create for %TEMP%\proc_list.csv. Parent process will be cmd.exe or the shell running the test.
- Test 2WMIC Process Discovery with Executable Path
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'process get' and 'ExecutablePath'. WMI-Activity/Operational Event ID 5857/5861 for WMI query execution. Sysmon Event ID 11: File Create for %TEMP%\wmic_proc.csv.
- Test 3PowerShell Process Enumeration via Get-Process
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-Process'. PowerShell ScriptBlock Log Event ID 4104 with full script content. Sysmon Event ID 11: File Create for the CSV output.
- Test 4Process Discovery via WMI CIM Instance (PowerShell)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-CimInstance Win32_Process'. PowerShell ScriptBlock Log Event ID 4104 showing the full query including security product name filter. WMI-Activity/Operational logs for CIM query execution.
- Test 5Linux Process Enumeration via ps with Full Detail
Expected signal: Auditd execve records (if configured with EXECVE audit rules): syscall=execve with argv containing 'ps', 'aux'. Linux syslog/auth.log may capture activity if PAM logging is enabled. On macOS, Unified Log entries with process=ps. Parent process will be the shell (bash/sh/zsh) used to run the test.
References (10)
- https://attack.mitre.org/techniques/T1057/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/tasklist
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
- https://secureworks.com/research/bronze-silhouette
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_tasklist_discovery.yml
- https://www.kaspersky.com/about/press-releases/2014_the-epic-turla-operation
- https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/
- https://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
Unlock Pro Content
Get the full detection package for T1057 including response playbook, investigation guide, and atomic red team tests.