Detect Process Discovery in Splunk
Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software and applications running on systems within the network. In Windows environments, adversaries use tools such as tasklist.exe, wmic process, and PowerShell Get-Process to enumerate running processes. On Linux and macOS, the ps command and /proc filesystem are used. ESXi supports ps and esxcli system process list. This technique is frequently used during post-exploitation to identify security tools, determine if analysis environments (sandboxes, AV) are present, find target processes for injection, and shape follow-on actions. Threat actors including Volt Typhoon, Turla, and numerous RAT families (WarzoneRAT, FELIXROOT) perform process discovery as a standard reconnaissance step.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1057 Process Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1057/
SPL Detection Query
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
| eval Image=lower(Image), CommandLine=lower(CommandLine), ParentImage=lower(ParentImage)
| eval IsTasklist=if(match(Image, "\\\\tasklist\.exe$"), 1, 0)
| eval IsWmicProcess=if(match(Image, "\\\\wmic\.exe$") AND match(CommandLine, "(process\s+get|process\s+list|process\s+where|win32_process)"), 1, 0)
| eval IsPSGetProcess=if((match(Image, "\\\\powershell\.exe$") OR match(Image, "\\\\pwsh\.exe$")) AND match(CommandLine, "(get-process|get-wmiobject\s+win32_process|get-ciminstance\s+win32_process|\[system\.diagnostics\.process\]::getprocesses|gps\s)"), 1, 0)
| eval IsProcessDiscovery=IsTasklist + IsWmicProcess + IsPSGetProcess
| where IsProcessDiscovery > 0
| eval SuspiciousParent=if(match(ParentImage, "(wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msbuild\.exe|installutil\.exe|certutil\.exe|bitsadmin\.exe)"), 1, 0)
| eval VerboseEnum=if(match(CommandLine, "(/v\b|/fo|/svc|executablepath|commandline|caption,executablepath)"), 1, 0)
| eval RiskScore=IsProcessDiscovery + SuspiciousParent + VerboseEnum
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsTasklist, IsWmicProcess, IsPSGetProcess, SuspiciousParent, VerboseEnum, RiskScore
| sort - _timeDetects process discovery activity using Sysmon Event ID 1 (Process Creation). Identifies tasklist.exe execution, wmic.exe with Win32_Process queries, and PowerShell Get-Process/Get-WmiObject invocations. Assigns a cumulative risk score based on discovery method, suspicious parent process, and verbose enumeration flags. Events spawned from scripting hosts (wscript.exe, mshta.exe) or LOLBins receive elevated risk scores, helping analysts prioritize post-exploitation activity over routine administrative use.
Data Sources
Required Sourcetypes
False Positives & Tuning
- IT administrators running tasklist or wmic process get for inventory, troubleshooting, or performance monitoring
- Endpoint Detection and Response (EDR) agents, antivirus software, and monitoring tools that periodically enumerate processes as part of their normal operation
- Software installers and update mechanisms that check for conflicting processes before installation
- Help desk and remote support tools that use tasklist or WMI to display running applications
- Developer tools, IDEs, and build pipelines that enumerate processes during debugging or profiling
- Vulnerability scanners and asset management platforms running authenticated scans
Other platforms for T1057
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Tasklist Verbose Process Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=tasklist.exe, CommandLine='tasklist /v /fo csv'. Security Event ID 4688 (if command line auditing enabled). Sysmon Event ID 11: File Create for %TEMP%\proc_list.csv. Parent process will be cmd.exe or the shell running the test.
- Test 2WMIC Process Discovery with Executable Path
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'process get' and 'ExecutablePath'. WMI-Activity/Operational Event ID 5857/5861 for WMI query execution. Sysmon Event ID 11: File Create for %TEMP%\wmic_proc.csv.
- Test 3PowerShell Process Enumeration via Get-Process
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-Process'. PowerShell ScriptBlock Log Event ID 4104 with full script content. Sysmon Event ID 11: File Create for the CSV output.
- Test 4Process Discovery via WMI CIM Instance (PowerShell)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-CimInstance Win32_Process'. PowerShell ScriptBlock Log Event ID 4104 showing the full query including security product name filter. WMI-Activity/Operational logs for CIM query execution.
- Test 5Linux Process Enumeration via ps with Full Detail
Expected signal: Auditd execve records (if configured with EXECVE audit rules): syscall=execve with argv containing 'ps', 'aux'. Linux syslog/auth.log may capture activity if PAM logging is enabled. On macOS, Unified Log entries with process=ps. Parent process will be the shell (bash/sh/zsh) used to run the test.
References (10)
- https://attack.mitre.org/techniques/T1057/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/tasklist
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
- https://secureworks.com/research/bronze-silhouette
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_tasklist_discovery.yml
- https://www.kaspersky.com/about/press-releases/2014_the-epic-turla-operation
- https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/
- https://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
Unlock Pro Content
Get the full detection package for T1057 including response playbook, investigation guide, and atomic red team tests.