Detect Process Discovery in Microsoft Sentinel
Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software and applications running on systems within the network. In Windows environments, adversaries use tools such as tasklist.exe, wmic process, and PowerShell Get-Process to enumerate running processes. On Linux and macOS, the ps command and /proc filesystem are used. ESXi supports ps and esxcli system process list. This technique is frequently used during post-exploitation to identify security tools, determine if analysis environments (sandboxes, AV) are present, find target processes for injection, and shape follow-on actions. Threat actors including Volt Typhoon, Turla, and numerous RAT families (WarzoneRAT, FELIXROOT) perform process discovery as a standard reconnaissance step.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1057 Process Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1057/
KQL Detection Query
let ProcessDiscoveryTools = dynamic(["tasklist.exe", "pslist.exe", "proclist.exe", "tlist.exe"]);
let WmicProcessPatterns = dynamic(["process get", "process list", "process where", "win32_process"]);
let SuspiciousParents = dynamic([
"cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "rundll32.exe", "regsvr32.exe", "msbuild.exe", "installutil.exe",
"certutil.exe", "bitsadmin.exe", "wmic.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
FileName in~ (ProcessDiscoveryTools)
or (FileName =~ "wmic.exe" and ProcessCommandLine has_any (WmicProcessPatterns))
or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-Process", "get-process", "ps ", "gps ", "Get-WmiObject Win32_Process", "Get-CimInstance Win32_Process", "[System.Diagnostics.Process]::GetProcesses"))
or (FileName =~ "ps" and InitiatingProcessFileName has_any ("bash", "sh", "zsh", "python", "python3", "perl", "ruby"))
)
| extend IsKnownBadParent = InitiatingProcessFileName has_any (SuspiciousParents)
| extend IsPowerShellDiscovery = FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-Process", "Get-WmiObject Win32_Process", "Get-CimInstance Win32_Process")
| extend IsWmicDiscovery = FileName =~ "wmic.exe" and ProcessCommandLine has_any (WmicProcessPatterns)
| extend IsTasklistExec = FileName in~ (ProcessDiscoveryTools)
| extend HasVerboseFlag = ProcessCommandLine has_any ("/v", "/fo", "/svc", "ExecutablePath", "CommandLine")
| project
Timestamp, DeviceName, AccountName, AccountDomain,
FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessParentFileName,
IsKnownBadParent, IsPowerShellDiscovery, IsWmicDiscovery, IsTasklistExec, HasVerboseFlag
| sort by Timestamp descDetects process discovery activity using Microsoft Defender for Endpoint DeviceProcessEvents. Monitors for execution of tasklist.exe, wmic.exe with Win32_Process queries, PowerShell Get-Process/Get-WmiObject/Get-CimInstance cmdlets, and process enumeration launched from suspicious parent processes. Flags additional context indicators including verbose output flags (/v, /svc, ExecutablePath) that suggest adversaries seeking detailed process information for security tool detection or injection target selection.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators running tasklist or wmic process get for inventory, troubleshooting, or performance monitoring
- Endpoint Detection and Response (EDR) agents, antivirus software, and monitoring tools (Datadog, SolarWinds, Nagios) that periodically enumerate processes as part of their normal operation
- Software installers and update mechanisms that check for conflicting processes before installation or during version upgrades
- Help desk and remote support tools (TeamViewer, ConnectWise, SolarWinds N-central) that use tasklist or WMI to display running applications to remote support agents
- Developer tools, IDEs (Visual Studio, JetBrains), and build pipelines that enumerate processes as part of debugging, profiling, or test orchestration
- Vulnerability scanners and asset management platforms running authenticated scans against endpoints
Other platforms for T1057
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Tasklist Verbose Process Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=tasklist.exe, CommandLine='tasklist /v /fo csv'. Security Event ID 4688 (if command line auditing enabled). Sysmon Event ID 11: File Create for %TEMP%\proc_list.csv. Parent process will be cmd.exe or the shell running the test.
- Test 2WMIC Process Discovery with Executable Path
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'process get' and 'ExecutablePath'. WMI-Activity/Operational Event ID 5857/5861 for WMI query execution. Sysmon Event ID 11: File Create for %TEMP%\wmic_proc.csv.
- Test 3PowerShell Process Enumeration via Get-Process
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-Process'. PowerShell ScriptBlock Log Event ID 4104 with full script content. Sysmon Event ID 11: File Create for the CSV output.
- Test 4Process Discovery via WMI CIM Instance (PowerShell)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-CimInstance Win32_Process'. PowerShell ScriptBlock Log Event ID 4104 showing the full query including security product name filter. WMI-Activity/Operational logs for CIM query execution.
- Test 5Linux Process Enumeration via ps with Full Detail
Expected signal: Auditd execve records (if configured with EXECVE audit rules): syscall=execve with argv containing 'ps', 'aux'. Linux syslog/auth.log may capture activity if PAM logging is enabled. On macOS, Unified Log entries with process=ps. Parent process will be the shell (bash/sh/zsh) used to run the test.
References (10)
- https://attack.mitre.org/techniques/T1057/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/tasklist
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
- https://secureworks.com/research/bronze-silhouette
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_tasklist_discovery.yml
- https://www.kaspersky.com/about/press-releases/2014_the-epic-turla-operation
- https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/
- https://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
Unlock Pro Content
Get the full detection package for T1057 including response playbook, investigation guide, and atomic red team tests.