T1057 IBM QRadar · QRadar

Detect Process Discovery in IBM QRadar

Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software and applications running on systems within the network. In Windows environments, adversaries use tools such as tasklist.exe, wmic process, and PowerShell Get-Process to enumerate running processes. On Linux and macOS, the ps command and /proc filesystem are used. ESXi supports ps and esxcli system process list. This technique is frequently used during post-exploitation to identify security tools, determine if analysis environments (sandboxes, AV) are present, find target processes for injection, and shape follow-on actions. Threat actors including Volt Typhoon, Turla, and numerous RAT families (WarzoneRAT, FELIXROOT) perform process discovery as a standard reconnaissance step.

MITRE ATT&CK

Tactic
Discovery
Technique
T1057 Process Discovery
Canonical reference
https://attack.mitre.org/techniques/T1057/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  sourceip AS HostIP,
  username AS UserName,
  "Process Name" AS ProcessName,
  "Command" AS CommandLine,
  "Parent Process Name" AS ParentProcessName,
  CASE
    WHEN LOWER("Process Name") LIKE '%tasklist.exe%' THEN 1
    WHEN LOWER("Process Name") LIKE '%pslist.exe%' THEN 1
    WHEN LOWER("Process Name") LIKE '%proclist.exe%' THEN 1
    WHEN LOWER("Process Name") LIKE '%tlist.exe%' THEN 1
    ELSE 0
  END AS IsTasklist,
  CASE
    WHEN LOWER("Process Name") LIKE '%wmic.exe%'
      AND (LOWER("Command") LIKE '%process get%'
        OR LOWER("Command") LIKE '%process list%'
        OR LOWER("Command") LIKE '%process where%'
        OR LOWER("Command") LIKE '%win32_process%')
    THEN 1 ELSE 0
  END AS IsWmicProcess,
  CASE
    WHEN (LOWER("Process Name") LIKE '%powershell.exe%' OR LOWER("Process Name") LIKE '%pwsh.exe%')
      AND (LOWER("Command") LIKE '%get-process%'
        OR LOWER("Command") LIKE '%get-wmiobject%win32_process%'
        OR LOWER("Command") LIKE '%get-ciminstance%win32_process%'
        OR LOWER("Command") LIKE '%[system.diagnostics.process]::getprocesses%'
        OR LOWER("Command") LIKE '%gps %')
    THEN 1 ELSE 0
  END AS IsPSGetProcess,
  CASE
    WHEN LOWER("Parent Process Name") LIKE '%wscript.exe%'
      OR LOWER("Parent Process Name") LIKE '%cscript.exe%'
      OR LOWER("Parent Process Name") LIKE '%mshta.exe%'
      OR LOWER("Parent Process Name") LIKE '%rundll32.exe%'
      OR LOWER("Parent Process Name") LIKE '%regsvr32.exe%'
      OR LOWER("Parent Process Name") LIKE '%certutil.exe%'
      OR LOWER("Parent Process Name") LIKE '%bitsadmin.exe%'
    THEN 1 ELSE 0
  END AS SuspiciousParent
FROM events
WHERE
  (QIDNAME(qid) LIKE '%Process%Create%' OR eventid = 4688 OR eventid = 1)
  AND (
    LOWER("Process Name") LIKE '%tasklist.exe%'
    OR LOWER("Process Name") LIKE '%pslist.exe%'
    OR LOWER("Process Name") LIKE '%proclist.exe%'
    OR LOWER("Process Name") LIKE '%tlist.exe%'
    OR (
      LOWER("Process Name") LIKE '%wmic.exe%'
      AND (LOWER("Command") LIKE '%process get%'
        OR LOWER("Command") LIKE '%process list%'
        OR LOWER("Command") LIKE '%process where%'
        OR LOWER("Command") LIKE '%win32_process%')
    )
    OR (
      (LOWER("Process Name") LIKE '%powershell.exe%' OR LOWER("Process Name") LIKE '%pwsh.exe%')
      AND (LOWER("Command") LIKE '%get-process%'
        OR LOWER("Command") LIKE '%get-wmiobject%win32_process%'
        OR LOWER("Command") LIKE '%get-ciminstance%win32_process%'
        OR LOWER("Command") LIKE '%[system.diagnostics.process]::getprocesses%')
    )
  )
  AND LAST 24 HOURS
ORDER BY starttime DESC
medium severity medium confidence

Detects T1057 Process Discovery in IBM QRadar AQL by querying process creation events (Windows Event ID 4688 and Sysmon Event ID 1) for tasklist.exe, pslist.exe, wmic process enumeration, and PowerShell Get-Process/Win32_Process queries. Calculates per-row flags for process type, suspicious parent, and enriches with log source metadata.

Data Sources

IBM QRadar SIEMWindows Security Event Log (WinEventLog)Sysmon via Windows DSMMicrosoft Windows Security Event Log DSM

Required Tables

events (QRadar normalized event store)

False Positives & Tuning

  • Enterprise monitoring agents such as SCOM, Nagios NRPE, or Zabbix agents that enumerate processes for health checks
  • Software deployment tools (SCCM, Ansible, Chef) that invoke wmic or tasklist to verify installation state
  • Help desk remote support sessions where analysts use tasklist.exe or PowerShell Get-Process to triage user-reported issues
Download portable Sigma rule (.yml)

Other platforms for T1057

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Tasklist Verbose Process Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=tasklist.exe, CommandLine='tasklist /v /fo csv'. Security Event ID 4688 (if command line auditing enabled). Sysmon Event ID 11: File Create for %TEMP%\proc_list.csv. Parent process will be cmd.exe or the shell running the test.

  2. Test 2WMIC Process Discovery with Executable Path

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'process get' and 'ExecutablePath'. WMI-Activity/Operational Event ID 5857/5861 for WMI query execution. Sysmon Event ID 11: File Create for %TEMP%\wmic_proc.csv.

  3. Test 3PowerShell Process Enumeration via Get-Process

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-Process'. PowerShell ScriptBlock Log Event ID 4104 with full script content. Sysmon Event ID 11: File Create for the CSV output.

  4. Test 4Process Discovery via WMI CIM Instance (PowerShell)

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-CimInstance Win32_Process'. PowerShell ScriptBlock Log Event ID 4104 showing the full query including security product name filter. WMI-Activity/Operational logs for CIM query execution.

  5. Test 5Linux Process Enumeration via ps with Full Detail

    Expected signal: Auditd execve records (if configured with EXECVE audit rules): syscall=execve with argv containing 'ps', 'aux'. Linux syslog/auth.log may capture activity if PAM logging is enabled. On macOS, Unified Log entries with process=ps. Parent process will be the shell (bash/sh/zsh) used to run the test.

Last updated: 2026-04-16 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1057 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1033System Owner/User DiscoveryT1007System Service DiscoveryT1082System Information DiscoveryT1016System Network Configuration DiscoveryT1083File and Directory DiscoveryT1069Permission Groups DiscoveryT1106Native APIT1055Process InjectionT1562.001Disable or Modify ToolsT1059.001PowerShell

Same Tactic: Discovery

Popular Detections