Detect Process Discovery in CrowdStrike LogScale
Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software and applications running on systems within the network. In Windows environments, adversaries use tools such as tasklist.exe, wmic process, and PowerShell Get-Process to enumerate running processes. On Linux and macOS, the ps command and /proc filesystem are used. ESXi supports ps and esxcli system process list. This technique is frequently used during post-exploitation to identify security tools, determine if analysis environments (sandboxes, AV) are present, find target processes for injection, and shape follow-on actions. Threat actors including Volt Typhoon, Turla, and numerous RAT families (WarzoneRAT, FELIXROOT) perform process discovery as a standard reconnaissance step.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1057 Process Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1057/
LogScale Detection Query
#event_simpleName = "ProcessRollup2"
| eval ImageLower = lower(ImageFileName)
| eval CommandLineLower = lower(CommandLine)
| eval ParentImageLower = lower(ParentBaseFileName)
| eval IsTasklist = if(
match(field=ImageLower, regex="(tasklist|pslist|proclist|tlist)\\.exe$"),
1, 0)
| eval IsWmicProcess = if(
match(field=ImageLower, regex="wmic\\.exe$")
AND match(field=CommandLineLower, regex="(process\\s+get|process\\s+list|process\\s+where|win32_process)"),
1, 0)
| eval IsPSGetProcess = if(
match(field=ImageLower, regex="(powershell|pwsh)\\.exe$")
AND match(field=CommandLineLower, regex="(get-process|get-wmiobject.+win32_process|get-ciminstance.+win32_process|\\[system\\.diagnostics\\.process\\]::getprocesses|gps\\s)"),
1, 0)
| eval IsProcessDiscovery = IsTasklist + IsWmicProcess + IsPSGetProcess
| where IsProcessDiscovery > 0
| eval IsSuspiciousParent = if(
match(field=ParentImageLower, regex="(wscript|cscript|mshta|rundll32|regsvr32|msbuild|installutil|certutil|bitsadmin)\\.exe"),
1, 0)
| eval IsVerboseEnum = if(
match(field=CommandLineLower, regex="(\\/v\\b|\\/fo|\\/svc|executablepath|commandline)"),
1, 0)
| eval RiskScore = IsTasklist + IsWmicProcess + IsPSGetProcess + IsSuspiciousParent + IsVerboseEnum
| table
@timestamp,
ComputerName,
UserName,
ImageFileName,
CommandLine,
ParentBaseFileName,
ParentCommandLine,
IsTasklist,
IsWmicProcess,
IsPSGetProcess,
IsSuspiciousParent,
IsVerboseEnum,
RiskScore
| sort type=string asc @timestampCrowdStrike Falcon LogScale (CQL) detection for T1057 Process Discovery using ProcessRollup2 events from the Falcon sensor. Evaluates ImageFileName and CommandLine for tasklist.exe, pslist.exe, wmic process enumeration, and PowerShell Get-Process/Get-WmiObject Win32_Process patterns. Enriches results with suspicious parent process and verbose enumeration flags and calculates a composite risk score.
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike Falcon RTR (Real Time Response) sessions where analysts run tasklist or PowerShell Get-Process during active investigations
- Enterprise endpoint management tools (Tanium, BigFix) that execute wmic or PowerShell process queries for compliance reporting
- Developer workstations running PowerShell scripts that include Get-Process to check for conflicting services before builds or deployments
Other platforms for T1057
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Tasklist Verbose Process Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=tasklist.exe, CommandLine='tasklist /v /fo csv'. Security Event ID 4688 (if command line auditing enabled). Sysmon Event ID 11: File Create for %TEMP%\proc_list.csv. Parent process will be cmd.exe or the shell running the test.
- Test 2WMIC Process Discovery with Executable Path
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'process get' and 'ExecutablePath'. WMI-Activity/Operational Event ID 5857/5861 for WMI query execution. Sysmon Event ID 11: File Create for %TEMP%\wmic_proc.csv.
- Test 3PowerShell Process Enumeration via Get-Process
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-Process'. PowerShell ScriptBlock Log Event ID 4104 with full script content. Sysmon Event ID 11: File Create for the CSV output.
- Test 4Process Discovery via WMI CIM Instance (PowerShell)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-CimInstance Win32_Process'. PowerShell ScriptBlock Log Event ID 4104 showing the full query including security product name filter. WMI-Activity/Operational logs for CIM query execution.
- Test 5Linux Process Enumeration via ps with Full Detail
Expected signal: Auditd execve records (if configured with EXECVE audit rules): syscall=execve with argv containing 'ps', 'aux'. Linux syslog/auth.log may capture activity if PAM logging is enabled. On macOS, Unified Log entries with process=ps. Parent process will be the shell (bash/sh/zsh) used to run the test.
References (10)
- https://attack.mitre.org/techniques/T1057/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/tasklist
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
- https://secureworks.com/research/bronze-silhouette
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_tasklist_discovery.yml
- https://www.kaspersky.com/about/press-releases/2014_the-epic-turla-operation
- https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/
- https://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
Unlock Pro Content
Get the full detection package for T1057 including response playbook, investigation guide, and atomic red team tests.